Practice Tests - Chapter 1: Domain 1.0: Security Operations Flashcards

Question

22- Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running? * LDAPS and HTTPS * FTPS and HTTPS * RDP and HTTPS * HTTP and Secure DNS

Answer 1

**LDAPS and HTTPS** TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. Although other services could use these ports, Jennifer’s best bet is to presume that they will be providing the services they are typically associated with.

Answer 2

**A dynamic analysis sandbox** Wang’s screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.

Answer 3

**Low.** Sarah knows that domain registration information is publicly available and that her organization controls the data that is published. Since this does not expose anything that she should not expect to be accessible, she should categorize this as a low impact.

Answer 4

Indicates that someone is doing a ping sweep

Answer 5

**The host does not have a DNS entry.** While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn’t have one that is available to the host that did the scan and ran the Wireshark capture).

Answer 6

**It provides information about the techniques attackers are using.** A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.

Answer 7

**An active defense** Tarpits are a form of active defense that decoy or bait attackers. Passive defenses include cryptography, security architecture, and similar options. Sticky defenses and reaction‐based defenses were made up for this question.

Answer 8

**Sandboxing** Susan’s best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. Although this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time‐consuming. Since she doesn’t have the source code, Fagan inspection won’t work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.

Answer 9

**The files do not match.** Manesh knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know if the file has been corrupted or if attackers have modified the file, but she may want to contact the providers of the software to let them know about the issue—and she definitely shouldn’t execute or trust the file!

Answer 10

**Submit cmd.exe to VirusTotal.** Susan’s best option is to submit the file to a tool like VirusTotal that will scan it for virus‐like behaviors and known malware tools. Checking the hash either by using a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won’t tell her if it includes malware. Running a suspect file is the worst option on the list.

Answer 11

**Network segmentation** The strategy outlined by Nishi is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Nishi requires.

Answer 12

**Airgapping** Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air‐gapping, the organization uses a stand‐alone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.

Answer 13

**Host firewall** Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.

Answer 14

**Logical segmentation** Ian knows that deploying multiple access points in the same space to deploy a physically segmented wireless network would significantly increase both the costs of deployment and the complexity of the network due to access points causing conflicts. His best choice is to logically segment his networks using one set of access points. SSID and WPA segmentation are both made‐up terms for this question.

Answer 15

**Hashing cannot identify unknown malware.** Relying on hashing means that Charles will be able to identify only the specific versions of malware packages that have already been identified. This is a consistent problem with signature‐based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes due to changes meant to avoid signature‐based detection systems.

Answer 16

**Knowledge and possession** The most common factors for multifactor systems today are knowledge factors (like a password) and possession factors, which can include a token, an authenticator application, or a smartcard.

Answer 17

**VoIP hacks and SIM swapping.** NIST has pointed out that SMS is a relatively insecure way to delivering codes as part of a multifactor authentication system. The two most common attacks against SMS message delivery are VoIP hacks, where SMS messages may be delivered to a VoIP system, which can be accessed by an attacker, and SIM swapping attacks, where a SIM card is cloned and SMS messages are also delivered to an attacker.

Answer 18

**It allows software‐defined network controllers to push changes to devices to manage the network.** OpenFlow is used to allow software‐defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.

Answer 19

OpenFlow is an API (application programming interface) that allows for the central control of networks, which makes networks programmable through software-defined networking (SDN). The OpenFlow protocol is used to **allow software-defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations**

Answer 20

**A honeynet** Rick’s team has set up a honeynet—a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, whereas a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.

Answer 21

**Horizontal scaling** Scaling a serverless system is a useful way to handle additional traffic but will not prevent denial‐of‐service (DoS) attacks from driving additional cost. In fact, horizontal scaling will add additional costs as it scales. API keys can be used to prevent unauthorized use of the serverless application, and keys can be deprovisioned if they are abused. Capping API invocations and using timeouts can help limit the maximum number of uses and how much they are used, both of which can help prevent additional costs.

Answer 22

**Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.** Virtualization allows you to run multiple operating systems on the same underlying hardware, whereas containerization lets you deploy multiple applications on the same operating system on a single system. Containerization can allow direct hardware access, whereas virtualization typically does not. Virtualization is not necessary for containerization, although it is often used, but containerization can get performance improvements from bare‐metal installations. Finally, there is a key difference, as noted in option B.

Answer 23

**Run a container host for each application group and secure them based on the data they contain.** Workloads in a secure containerization environment should be distributed in a way that allows hosts to run containers of only a specific security level. Since Brandon has three different security levels in his environment, he should use separate hosts that can be configured to secure the data appropriately while also limiting the impact if a container is breached.

Answer 24

**Single sign‐on implementations** All of these are examples of single sign‐on (SSO) implementations. They allow a user to use a single set of credentials to log in to multiple different services and applications. When federated, SSO can also allow a single account to work across a variety of services from multiple organizations.

Answer 25

**CASB** A cloud access security broker (CASB) can perform actions such as monitoring activity, managing cloud security policies for SaaS services, enforcing security policies, logging, alerting, and in‐line policy enforcement when deployed with agents on endpoint devices or as a proxy.

Answer 26

**TLS** Transport Layer Security (TLS) is used to secure web and other types of traffic. Many people still call TLS SSL out of habit, but TLS is actually a different protocol and has replaced Secure Sockets Layer (SSL). IPsec is an encryption protocol used for VPNs and other point‐to‐point connections between networks. Point‐to‐Point Tunneling Protocol (PPTP) has a number of security issues.

Answer 27

**An active defense** Active defenses are aimed at slowing down attackers while using their resources. The rest of the terms listed here were made up for this question. Active defenses are sometimes referred to as deception technology.

Answer 28

**Physical access** Physical access is the best (and often only) way to compromise an air‐gapped, physically isolated system. Although some esoteric attack methods can gather information via RF, acoustic, or other leakage, real‐world scenarios will require physical access in almost all cases.

Answer 29

**Both the relying party and the identity provider** In a SAML transaction, the user initiates a request to the relying party, who then redirects the user to the SSO provider. The user then authenticates to the SAML identity provider and receives a SAML response, which is sent to the relying party as proof of identity.

Answer 30

**Processor security extensions** These are all examples of processor security extensions providing additional cryptographic instructions. Since AES, 3DES, and ECC are all encryption algorithms and SHA‐256 is a hashing algorithm, we know that this can’t be either of the first two options alone. Bus encryption may use these, but they aren’t just examples of bus encryption algorithms.

Answer 31

**Reduced cost** Although physical segmentation can make it easier to see specific traffic while providing better network security and increased performance, running a separate infrastructure is rarely a less expensive option.

Answer 32

**Creating a shared network** Segmented networks are almost always used to isolate groups rather than to combine them. Common uses include specific network segments for VoIP, wireless, or specific trust zones and levels.

Answer 33

**Application, Control, and Infrastructure layers** Software‐defined networks (SDNs) consist of three major layers: the application layer, where information about the network is used to improve flow, configuration, and other items; the control layer, which is where the logic from SDN controllers control the network infrastructure; and the infrastructure layer, which is made up of the networking equipment. If you’re not deeply familiar with SDNs, you can address questions like this by reviewing what you do know. The other three options contain elements of the OSI model but don’t make sense in the context of SDN.

Answer 34

**Automated vulnerability scanning** If Micah implements automated vulnerability scanning, he can check to see if the applications that are about to be deployed have known vulnerabilities. Automated patching will also help with this, but will only apply available patches and will not assess whether there are configuration vulnerabilities or unpatched vulnerabilities. Fuzz testing can help to test if the applications have issues with unexpected input but will not address most vulnerabilities, and hashing will only tell him if he is running the version of code that he expects to, not if it is vulnerable.

Answer 35

**An IDP** Camille will need to integrate her identity provider (IDP) to provide authentication and authorization. Once users are authenticated, they can use various service providers throughout the federation. She will also probably want to use some form of single sign‐on (SSO) service, but it is not required to be part of a federation.

Answer 36

**All of the above** Where possible, NIST recommends segmenting by purpose, data sensitivity, and threat model to separate OS kernels.

Answer 37

This publication explains the **potential security concerns associated with the use of containers** and provides recommendations for addressing these concerns.

Answer 38

**Both A and B.** The NIST 800‐190 guidelines note that traditional vulnerability management tools may make assumptions like those in options A and B regarding the systems and applications they are scanning. Since containers are ephemeral and may be updated and changed very frequently, a traditional vulnerability scanning and management approach is likely to be a poor fit for a containerized environment.

Answer 39

**Entitlement management across multiple systems** The most distinctive feature of privileged account management tools for enterprise use is the ability to manage entitlements across multiple systems throughout an enterprise IT environment. Broader identity and access management systems for enterprises provide user account management and life‐cycle services, including account expiration tools and password life‐cycle management capabilities.

Answer 40

**SAML** SAML provides all of the capabilities Amira is looking for. Unlike SAML, OAuth is an authorization standard, not an authentication standard. LDAP provides a director and can be used for authentication but would need additional tools to be used as described. Finally, OpenID Connect is an authentication layer on top of OAuth, which is an authorization framework. Together, they would also meet the needs described here, but individually they do not.

Answer 41

**If the traffic is unencrypted** Adam knows that TCP/80 is the normal port for unencrypted HTTP traffic. As soon as he sees the traffic, he should immediately check if the traffic is unencrypted. If it is, his first recommendation will likely be to switch to TLS encrypted traffic. Once that is complete, he can worry about whether data is encrypted at rest and if usernames and passwords are passed as part of the traffic, which might be acceptable if it was protected with TLS!

Answer 42

**None of the above** Serverless environments are a shared service, and since there is not a system that is accessible to consumers, there is nowhere to install endpoint tools. Similarly, network IPSs cannot be placed in front of a shared resource. Elaine should also be aware that any flaw with the underlying serverless environment will likely impact all of the service hosting systems.

Answer 43

**Increasing the number of systems in a network segment** Segmentation is typically used to decrease the number of systems in a network segment, rather than to increase it. Segmentation is often used to decrease an organization’s attack surface by moving systems that don’t need to be exposed to a protected segment. It can also be used to limit compliance impact by removing systems from a compliance zone that do not need to be part of it. Finally, limiting the number of systems or devices in segment or keeping potentially problematic systems in an isolated network segment can help increase availability.

Answer 44

**Send the logs to a remote server.** Nathan’s best option is to send the logs to a remote server. The server should be protected to ensure that the same exploits that might compromise other systems will not impact the secure log storage server or service. In many organizations, a SIEM device or security logging tool like ELK or Splunk may be used to store and work with these logs.

Answer 45

**Authman** OpenID, SAML, and OAuth are all commonly used protocols for federated identity. Ansel will need to better understand what the use cases for federated identity are in his environment and which organizations he will federate with before he chooses a protocol to implement and may eventually need to support more than one. Authman is a tool used to manage web user login files and is not a protocol.

Answer 46

**Different antimalware engines call the same malware package by different names.** Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.

Answer 47

**resmon** The Windows Resource Monitor (resmon.exe) application is a useful tool to both see real‐time data and graph it over time, allowing Abul to watch for spikes and drops in usage that may indicate abnormal behavior.s

Answer 48

**Building a similarity graph of similar functions across binaries** Binary diffing looks at multiple potentially related binaries that have anti‐reverse‐engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in. As you might have guessed, the rest of the answers for this question were made up.

Answer 49

**Remote execution of code** PowerShell, wmic, and winrm.vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three.

Answer 50

**Availability** Availability analysis targets whether a system or service is working as expected. Although a SIEM may not have direct availability analysis capabilities, reporting on when logs or other data is not received from source systems can help detect outages. Ideally, Lucy’s organization should be using a system monitoring tool that can alarm on availability issues as well as common system problems such as excessive memory, network, disk, or CPU usage.

Answer 51

**Behavior** Lucy has configured a behavior‐based detection. It is likely that a reasonable percentage of the detections will be legitimate travel for users who typically do not leave the country, but pairing this behavioral detection with other behavioral or anomaly detections can help determine if the login is legitimate.

Answer 52

**An RDP connection** RDP operates over TCP 3389. Most corporate workstations won’t have RDP turned on inbound to workstations, and Suki may find that she has discovered a compromise or other behavior that her organization may not want to occur.

Answer 53

**/var/log/auth.log** The auth.log file on Linux systems will capture sudo events. A knowledgeable attacker is likely to erase or modify the auth.log file, so Ian should make sure that the system is sending these events via syslog to a trusted secure host. The sudoers file stored in /etc/sudoers contains details of which users can use sudo and what rights they have. There is not a file called /var/log/sudo, and root’s .bash_log file might contain commands that root has run but won’t have details of the sudo event—there’s no reason for root to sudo to root!

Answer 54

**If files in the directory have changed** Tripwire can monitor files and directories for changes, which means Gabby can use it to monitor for files in a directory that have changed. It will not tell you how often the directory is accessed, who viewed files, or if sensitive data was copied out of the directory.

Answer 55

**The user has opened an interactive command prompt as administrator on a remote workstation.** Even if you’re not familiar with the PS tools, you can use your knowledge of Windows command‐line tools to figure out what is happening here. We see a remote workstation (it is highly unlikely you would connect to your own workstation this way!) indicated by the \\ip.address, a -u flag likely to mean user ID with the administrator listed, and a -p for password. We know that cmd.exe is the Windows command prompt, so it is reasonable and correct to assume that this will open a remote command prompt for interactive use. If this is a user who isn’t an administrator, Charlene needs to start an incident investigation right away.

Answer 56

**Another antivirus program has interfered with the scan.** First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn’t find a second antivirus package installed, she should conduct a scan using another tool to see if malware may be the issue.

Answer 57

**Allowlisting** Blocklisting known bad IP addresses (previously known as blacklisting), as well as the use of both domain and IP reputation services, can help Charles accomplish his task. Allowlisting (previously known as whitelisting) allows only known addresses through and does not flag known bad addresses.

Answer 58

**The headers were forged to make it appear to have come from John Smith.** The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com.

Answer 59

**DMARC** While SPF and DKIM can help, combining them in the form of DMARC can limit trusted senders to only a known list and prove that the domain is the domain that is sending the email; this prevents email impersonation when other organizations also use DMARC.

Answer 60

**SOAR** Security orchestration, automation, and response (SOAR) systems are designed to correlate information and may be able to combine this information. This is especially true if the system and feeds make use of the Structured Threat Information Expression language (STIX) and TAXII, the protocol used to transfer threat intelligence. STIX and TAXII are open protocols that have been adopted to allow multiple threat sources to be combined effectively. SAML is Security Assertion Markup Language, and OCSP is Online Certificate Status Protocol. Neither of those is useful in processing threat information.

Answer 61

**Online Certificate Status Protocol** an internet protocol that allows applications to check the revocation status of a digital certificate in real-time, essentially verifying if a certificate is still valid or has been revoked by the issuing authority, providing a more up-to-date status compared to traditional Certificate Revocation Lists

Answer 62

**Sender Policy Framework ** (SPF) is an email authentication technique that allows organizations to publish a list of their authorized email servers, and systems not listed in SPF will be rejected

Answer 63

**DomainKeys Identified Mail** (DKIM) allows organizations to add content to messages to identify them as being from their domain by signing both the body of the message and elements of the header, helping to ensure that the message is actually from the organization it claims to be from

Answer 64

**Domain-based Message Authentication, Reporting, and Conformance** (DMARC) is a protocol that uses SPF and DKIM to determine whether an email message is authentic, allowing you to choose to reject or quarantine messages that are not sent by a DMARC-supporting sender

Answer 65

Oracle databases default to TCP port 1521

Answer 66

**Oracle** Oracle databases default to TCP port 1521. Traffic from the “outside” system is being denied when it attempts to access an internal system via that port.

Answer 67

**A shuffler** Packers, or runtime packers, are tools that self‐extract when run, making the code harder to reverse‐engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers were made up for this question.

Answer 68

ackers, or runtime packers, are tools that self‐extract when run, making the code harder to reverse‐engineer.

Answer 69

Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read.

Answer 70

Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies.

Answer 71

**A vulnerability scan** Testing for common sample and default files is a common tactic for vulnerability scanners. Nara can reasonably presume that her Apache web server was scanned using a vulnerability scanner.

Answer 72

**No ports should be open.** The uses described for the workstation that Cormac is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.

Answer 73

**cmd.exe should never launch explorer.exe.** For most Windows user workstations, launches of cmd.exe by programs other than Explorer are not typical. This script will identify those launches and will alarm on them.

Answer 74

**Registry edits launched via the command line from Explorer** The first query will identify times when the reg.exe was launched by cmd.exe. If the same data is searched to correlate with launches of cmd.exe by explorer.exe, Mark will know when registry edits were launched via the command line (cmd.exe) from Explorer—a process that typically means users have edited the registry, which should be an uncommon event in most organizations and is likely to be a security concern.

Answer 75

**Place a network firewall between the devices and the rest of the network.** Mateo’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.

Answer 76

used to check the state of memcached server

Answer 77

command will show a dynamic, real‐time list of running processes

Answer 78

**Initiate the organization’s incident response plan.** John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise Trojans as innocuous applications, so John should follow his organization’s incident response plan.

Answer 79

Endpoint detection and response

Answer 80

**Logging all shell commands to /dev/null** This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks.

Answer 81

**You cannot determine if a message was forwarded by analyzing the headers.** When an email is forwarded, a new message with a new Message‐ID header will be created. The In‐Reply‐To and References field will also be set as normal. The best option that Charles has is to look for clues like a subject line that reads “FWD”—something that is easily changed.

Answer 82

**Check the passwd binary against a known good version.** The passwd binary stands out as having recently changed. This may be innocuous, but if Marta believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version and then follow her incident response process if it doesn’t match.

Answer 83

**Service replacement** Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legitimate purposes. Replacing services is far less common unless a known upgrade or patch has occurred.

Answer 84

**Users who are logged in to more than one machine within four hours** Even if you don’t recognize the Windows Event ID, this query provides a number of useful clues. First, it has an interval of four hours, so you know a time frame. Next, it lists data.login.user, which means you are likely querying user logins. Finally, it includes machine count and >1, so you can determine that it is looking for more than one system that has been logged in to. Taken together, this means that the query looks for users who have logged in to more than one machine within any given four‐hour period. Matt may want to tune this to a shorter time period, because false positives may result for technical support staff, but since most users won’t log in to more than one machine, this could be a very useful threat‐hunting query.

Answer 85

**APT** Damian has likely encountered an advanced persistent threat (APT). They are characterized as extremely well‐resourced actors whose compromises typically have an extended dwell time and the ability to scale capabilities to counter defenders over time.

Answer 86

**/etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.** Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.

Answer 87

**The email signature block** Although you may want to analyze the email signature block, it is not likely to contain information that will help you identify a phishing message, as the signature text may have been created by the attacker. It is important to note that the signature block refers to the information provided by the user at the end of an email message, not the use of a digital signature. You should analyze entire body of an email for malicious links and payloads. Header data is often checked against IP reputation databases and other checks that can help limit email from spam domains and known malicious senders.

Answer 88

**Scanning all email using an antimalware tool** The most common solution to identifying malicious embedded links in email is to use an antimalware software package to scan all emails. They typically include tools that combine IP and domain reputation lists as well as other heuristic and analytical tools to help identify malicious and unwanted links.

Answer 89

**Change sshd_config to deny root login.** Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Singh’s goal.

Answer 90

**It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m.** The at command can be used to schedule Windows tasks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Azra should be concerned, as this allows traffic in that otherwise might be blocked.

Answer 91

**Fail2ban has blocked the SSH login attempts.** This output shows a brute‐force attack run against the localhost’s root account using SSH. This resulted in the root user attempting to reauthenticate too many times, and PAM has blocked the retries. Fail2ban is not set up for this service; thus, this is the one item that has not occurred. If it was enabled, the Fail2ban log would read something like 2019-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Ban 127.0.0.1.

Answer 92

**The user set up netcat as a listener to push example.zip.** The -l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.

Answer 93

**Using application allowlisting to prevent all prohibited programs from running.** Windows supports application allowlisting (whitelisting). Lukas can allowlist his allowed programs and then set the default mode to Disallowed, preventing all other applications from running and thus blocking the application. This can be a bit of a maintenance hassle but can be useful for high‐security environments, or those in which limiting what programs can run is critical.

Answer 94

**User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.** Remember that rights are read from left to right as user rights, group rights, and then world rights. Here we have read, write, and execute (rwx) for chuck, rw for admingroup, and r for world.

Answer 95

* position 1: type (e.g.: d for directory; - for file; l for symbolic link, etc..) * postion 2-4: owner permission * position 5-7: group permission * position 8-10: others/world permission * special characters: s, for SUID, t for sticky bit, etc.. Example: -rwsr-xr-x 1 root root 50000 Aug 5 18:23 passwd Reading the permissions, character by character: * (Position 1): This is a regular file (not a directory or link) * Owner permissions (Positions 2-4): r: The owner (root) can read this file w: The owner can write to/modify this file s: This is the SUID bit + execute permission. It means when a regular user runs this program, it runs with the permissions of the file owner (root) * Group permissions (Positions 5-7): r: Users in the group (root) can read this file -: Users in the group cannot write to this file x: Users in the group can execute this file * Others/World permissions (Positions 8-10): r: All other users can read this file -: Other users cannot write to this file x: Other users can execute this file * In numeric form, this would be represented as 4755: 4 for the special SUID bit 7 (4+2+1) for owner permissions (read+write+execute) 5 (4+0+1) for group permissions (read+execute) 5 (4+0+1) for others permissions (read+execute) This permission set allows any user to run the passwd command to change their password, while the SUID bit ensures the program runs with root privileges (which are needed to update the password file).

Answer 96

**An attempt to edit the 404 page.** Attackers often use built‐in editing tools that are inadvertently or purposefully exposed to edit files to inject malicious code. In this case, someone has attempted to modify the 404 file displayed by WordPress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page or simply a defaced 404 page.

Answer 97

**User entity behavior analytics** (UEBA) tools focus on behaviors rather than on a broad set of organizational data

Answer 98

**managed detection response** (MDR) systems are used to speed up detection, rather than for compliance and orchestration.

Answer 99

**A VPN application** Encapsulating Security Payload (ESP) packets are part of the IPsec protocol suite and are typically associated with a tunnel or VPN. Ryan should check for a VPN application and determine what service or system the user may have connected to.

Answer 100

**Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.** Data enrichment combines data from multiple sources such as directories, geolocation information, and other data sources as well as threat feeds to provide deeper and broader security insights. It is not just a form of threat feed combination, and threat feed combination is a narrower technique than data enrichment is.

Answer 101

**Install and use Tripwire.** Tripwire and similar programs are designed to monitor files for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen’s best bet is to use a tool designed for the job, rather than to try to write her own.

Answer 102

**Anomalies in privileged account usage** In this case, if the user is logged in to administrative systems, privileged account usage would be the most useful additional detail that Alaina could have available. Time‐based login information might also prove useful, but a traveling administrative user might simply be in another time zone. Mobile device profile changes and DNS request anomalies are less likely to be correlated with a remote exploit and more likely to be correlated with a compromise of a user device or malware respectively. Rank Software provides a great threat hunting playbook at www.osintme.com/wp‐content/uploads/2022/09/Threat_Hunting_Playbook.pdf that may prove useful to you as you consider these threats.

Answer 103

**Form a hypothesis.** Forming a hypothesis should be Fiona’s next step. Once she starts to consider a scenario, she needs to identify the target and likely adversary techniques and determine how she would verify the hypothesis.

Answer 104

**AI/ML‐based investigation** Artificial intelligence (AI) and machine learning (ML) approaches are ideal for large volumes of log and analytical data. Manual processes like hypothesis‐driven investigations, or IOC‐ or IOA‐driven investigations, can take significant amounts of time when dealing with large volumes of data.

Answer 105

**To leverage the similarity of threat profiles** Bundling critical assets into groups allows similar assets to be assessed together, leveraging the similarity of their threat profiles. This makes analysis less complex, rather than more complex. Assets should be grouped by similar sensitivity levels, rather than mixed. Threats are assessed against other threats for comparison purposes, and bundling assets will not provide a baseline for them.

Answer 106

**Methods of data ingestion** SOAR systems offer many ways to ingest data, and syslog, APIs, email, STIX/TAXII feeds, and database connections are all common ways for data to be acquired.

Answer 107

**Inserts itself into the Registry** The question’s description includes details about the use of the startup Registry entry for Common Startup and lists a Registry key. This means the Reaver malware as described maintains persistence by using a Registry key.

Answer 108

**Machine learning** Machine learning (ML) in systems like this relies on datasets to build profiles of behavior that it then uses to identify abnormal behavior. They also use behavioral data that is frequently associated with attacks and malware and use that to compare to the user behavior patterns. Signature‐based analysis uses hashing or other related techniques to verify if files match a known malware package. The Babbage machine is a mechanical computer, and artificial network analysis was made up for this question.

Answer 109

**SOAR systems integrate a wider range of internal and external systems.** Although SIEM and SOAR systems often have similar functionality, SOAR systems are typically designed to work with a broader range of internal and external systems, including threat intelligence feeds and other data sources, and then assist with the automation of responses.

Answer 110

**Her own natural biases** A single analyst working alone is likely to have limitation to their knowledge, experience, and their own experiential biases. Thus, Fiona should review her hypotheses for her own natural biases and may want to involve other analysts or experts to help control for them.

Answer 111

**Implementing NetFlow** A NetFlow or sFlow implementation can provide Nathan with the data he needs. Flows show the source, destination, type of traffic, and amount of traffic, and if he collects flow information from the correct locations on his network, he will have the ability to see which systems are sending the most traffic and will also have a general idea of what the traffic is. A sniffer requires more resources, whereas SDWAN is a software‐defined wide area network, which might provide some visibility but does not necessarily meet his needs. Finally, a network tap is used to capture data, but a tap alone does not analyze or provide this information.

Answer 112

NetFlow is a Cisco network protocol that **collects IP traffic information, which allows for network traffic monitoring**. A typical flow capture includes the **IP and port source and destination for the traffic and the class of service,** which helps identify service problems and baseline typical network behavior and can also be useful in identifying unexpected behaviors

Answer 113

**49.51.172.56** A binary file is downloaded from 49.51.172.56, as shown by the GET command for nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin. Annie should mark this as an indicator of compromise (IoC) and look for other traffic to or from this host, as well as what the workstation or system it is downloaded to does next.

Answer 114

**Wireshark** Steve could use Wireshark to capture the download traffic and to observe what host the file was downloaded from. Antimalware tools typically remove the malware but do not provide detailed visibility into its actions. An IPS can detect attacks but would need specific rules to detect the actions taken. Network flows will show where the traffic went but will not provide detailed specifics like a packet capture tool would.

Answer 115

**An incorrect time zone setting** A relatively common issue during log reviews is incorrect or mismatched time zone settings. Many organizations that operate in more than one time zone use Universal Time Coordinated (UTC) to avoid having to do time zone corrections when comparing logs. In this case, Abdul should check the server that is recording the events at 6 p.m. to see if it is set to the wrong time zone or otherwise is misconfigured to have the wrong system time.

Answer 116

Ingress refers to something entering a system or network, while egress refers to something exiting a system or network.

Answer 117

**Business rules** Data loss prevention (DLP) systems use business rules that define when and how data is allowed to move around an organization, as well as how it should be classified. Data at rest is data that is not moving, and the remaining options were made up for this question.

Answer 118

**Performing static analysis of the malware** Although you can build an isolated sandbox or VM, the safest way to analyze malware is to analyze the source code rather than running it. Thus, static analysis is the safest answer, but it may not be as useful as dynamic analysis where you can capture what the malware does as it happens. Static analysis can also be significantly slower because of the effort required to disassemble the code and reverse‐engineer what it is doing.

Answer 119

**CASB** A cloud access security broker (CASB) is the ideal tool to increase Tom’s visibility into cloud services. CASB tools are specifically designed to monitor for cloud access patterns and to ensure that unwanted activity does not occur.

Answer 120

**None of the above** Windows filesystem auditing does not provide the ability to detect if files were changed. Forensic artifacts can indicate that a file was opened and identify the program that opened it. However, unlike tools such as Tripwire that track file hashes and thus can identify modifications, Windows file auditing cannot provide this detail.

Answer 121

**WHOIS lookups and NXDOMAIN queries of suspect URLs** URL analysis of domain generation algorithm–created uniform resource locators (URLs) relies on either testing URLs via WHOIS lookups and NXDOMAIN responses or using machine learning (ML) techniques, which recognize patterns common to DGA‐generated URLs. Natural language processing focuses on understanding natural language data, but DGAs do not rely on natural language–style URLs in most cases.

Answer 122

A **domain generation algorithm** (DGA) is a technique used by malicious actors, often in malware, that generates domain names algorithmically. Here are some key aspects of DGAs: * Malware may use DGAs to create numerous, seemingly random domain names to use for command-and-control (C&C) communication. * The rapidly changing domain names associated with DGAs make it more difficult to block the communication, because even if some hosts are taken down, the malware can rotate to new names. * Detecting DGA-created URLs often relies on testing URLs via WHOIS lookups and Non-Existent Domain (NXDOMAIN) responses or using machine learning techniques that recognize patterns common to DGA-generated URLs

Answer 123

**All occurrences of the sudo command in bash log files in user home directories** In this scenario, the attacker may have been trying to find users who have typed credentials into a sudo command in a script. This will find all occurrences of the sudo command in all the /home/users subdirectories and will then feed that output to a search for bash.log, meaning that only occurrences of sudo inside of bash.log entries will be returned.

Answer 124

**Beacon protocol** Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.

Answer 125

**Portmon** SNMP, packet sniffing, and NetFlow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial and parallel ports, not exactly the sort of tool you’d use to watch your network’s bandwidth usage!

Answer 126

**Level 0** Syslog levels identify the urgency of the message and are numbered from 0 through 7. The highest level is level 0, which is designated as an emergency message. Syslog level 1 messages are alerts, level 2 messages are critical messages, level 3 messages are errors, level 4 messages are warnings, level 5 messages are notices, level 6 messages are informational, and level 7 is for debugging messages.

Answer 127

**IP reputation** Angela’s best choice would be to implement IP reputation to monitor for connections to known bad hosts. Antivirus definitions, file reputation, and static file analysis are all useful for detecting malware, but command‐and‐control traffic like beaconing will typically not match definitions, won’t send known files, and won’t expose files for analysis.

Answer 128

**Flow logs with heuristic analysis** Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his datacenter connect to domains that are not already allowlisted and should strongly consider whether servers should be allowed to initiate outbound connections at all.

Answer 129

**The vendor that built the system** Dan can look up the manufacturer prefix that makes up the first part of the MAC address. In this case, Dan will discover that the system is likely a Dell, potentially making it easier for him to find the machine in the office. Network management and monitoring tools build in this identification capability, making it easier to see if unexpected devices show up on the network. Of course, if the local switch is a managed switch, he can also query it to determine what port the device is plugged into and follow the network cable to it.

Answer 130

**ifconfig resets traffic counters at 4 GB.** The traffic values captured by ifconfig reset at 4 GB of data, making it an unreliable means of assessing how much traffic a system has sent when dealing with large volumes of traffic. Bohai should use an alternate tool designed specifically to monitor traffic levels to assess the system’s bandwidth usage.

Answer 131

**Check /home/ for new user directories.** It is unlikely that skilled attackers will create a new home directory for an account they want to hide. Checking /etc/password and /etc/shadow for new accounts is a quick way to detect unexpected accounts, and checking both the sudoers and membership in wheel and other high‐privilege groups can help Vlad detect unexpected accounts with increased privileges.

Answer 132

**An ISAC** Information sharing and analysis centers (ISACs) are information sharing and community support organizations that work within vertical industries such as energy, higher education, and other business domains. Ben may choose to have his organization join an ISAC to share and obtain information about threats and activities that are particularly relevant to what his organization does. A CSIRT is a computer security incident response team and tends to be hosted in a single organization, a VPAC is made up, and an IRT is an incident response team.

Answer 133

**The sender sent via a system in Japan.** Headers can be helpful when tracking down spam email, but spammers often use a number of methods to obfuscate the original sender’s IP address, email, or other details. Unfortunately, email addresses are often spoofed, and the email address may be falsified. In this case, the only verifiable information in these headers is the IP address of the originating host, mf-smf-ucb011.ocn.ad.jp (mf-smf-ucb011.ocn.ad.jp) [153.149.228.228]. At times even this detail can be forged, but in most cases, this is simply a compromised host or one with an open email application that spammers can leverage to send bulk email.

Answer 134

**Successful logins** The system Nara is reviewing has only login failure logging turned on and will not capture successful logins. She cannot rely on the logs to show her who logged in but may be able to find other forensic indicators of activity, including changes in the user profile directories and application caches.

Answer 135

**Anomaly analysis** Profiling networks and systems will provide a baseline behavior set. A SIEM or similar system can monitor for differences or anomalies that are recorded as events. Once correlated with other events, these can be investigated and may prove to be security incidents. Dynamic and static analyses are types of code analysis, whereas behavioral, or heuristic, analysis focuses on behaviors that are indicative of an attack or other undesirable behavior. Behavioral analysis does not require a baseline; instead, it requires knowing what behavior is not acceptable.

Answer 136

**Local Security Policy manager for Windows** a Windows tool related to local security policy. Can assist in analyzing logs and recommending remediation

Answer 137

**Memory resources are available but being tasked by memory management processes.** Memory pressure is a macOS‐specific term used to describe the availability of memory resources. Yellow segments on a memory pressure chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.

Answer 138

**Generate a known event ID and monitor for it.** Saanvi simply needs to generate a known event ID that he can uniquely verify. Once he does, he can log into the SIEM and search for that event at the time he generated it to validate that his system is sending syslogs.

Answer 139

**Interactive behavior analysis** Maria has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Maria’s ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.

Answer 140

**Capture network flows for all hosts and use filters to remove normal traffic types.** The only solution from Latisha’s list that might work is to capture network flows, remove normal traffic, and then analyze what is left. Peer‐to‐peer botnets use rapidly changing control nodes and don’t rely on a consistent, identifiable control infrastructure, which means that traditional methods of detecting beaconing will typically fail. They also use quickly changing infection packages, making signature‐based detection unlikely to work. Finally, building a network traffic baseline after an infection will typically make the infection part of the baseline, resulting in failure to detect malicious traffic.

Answer 141

**They quietly gather information from compromised systems.** Advanced persistent threats often leverage email, phishing, or a vulnerability to access systems and insert malware. Once they have gained a foothold, APT threats typically work to gain access to more systems with greater privileges. They gather data and information and then exfiltrate that information while working to hide their activities and maintain long‐term access. DDoS attacks, worms, and encryption‐based extortion are not typical APT behaviors.

Answer 142

**A behavior‐based analysis tool** Barb can configure a behavior‐based analysis tool that can capture and analyze normal behavior for her application and then alert her when unexpected behavior occurs. Although this requires initial setup, it requires less long‐term work than constant manual monitoring, and unlike signature‐based or log analysis‐based tools, it will typically handle unexpected outputs appropriately.

Answer 143

**Scheduled tasks** Attackers commonly use scheduled tasks to achieve persistence. If an analyst forgets to check for scheduled tasks, attackers may leave a task scheduled that opens up a vulnerability at a later date, achieving persistence on the system

Answer 144

* Level 0: Emergencies indicate a device shutdown due to failure. * Level 1: Alerts signify that a temperature limit has been exceeded. * Level 2: Critical events, such as software failure. * Level 3: Errors, for example, an interface down message. * Level 4: Warning indicate a configuration change. * Level 5: Notifications such as a line protocol up/down. * Level 6: Information such as an ACL violation. * Level 7: Debugging message

Answer 145

**/etc** The /etc directory normally contains system‐level configuration files. Files are generally not stored at the root level (/) of a file system. The /bin directory is used for binary executables, and the /dev directory is used for devices.

Answer 146

**Public cloud** The key to answering this question is recognizing that the multitenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthew’s company. In a private cloud deployment, only Matthew’s company would have access to any resources hosted on the same physical hardware. This is not multitenancy. There is no indication that Matthew’s organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group, which would be a community cloud.

Answer 147

**Identity of a user or device** Zero‐trust network architectures make trust decisions based upon the identity of the user or device making the request. They do not make trust decisions based upon network location characteristics, such as an IP address, VLAN assignment, or network segment.

Answer 148

**Hypervisor** Secure access service edge (SASE) approaches to network security seek to implement zero‐trust networking in a way that integrates cloud security services. Next‐generation firewalls (NGFWs), cloud access security brokers (CASBs), and wide area network (WAN) connections are all critical components of SASE deployments. Hypervisors are used to create virtual machines, and, while they may be leveraged in a SASE environment, they are not themselves a direct part of the SASE architecture.

Answer 149

**ISACs** The U.S. government created information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, and they provide tools and assistance to their members.

Answer 150

**The attack vector** The ATT&CK framework defines the attack vector as the specifics behind how the adversary would attack the target. You don’t have to memorize ATT&CK to pass the exam, but you should be prepared to encounter questions that you need to narrow down based on what knowledge you do have. Here you can rule out the threat actor and targeting method and then decide between the attack vector and organizational weakness.

Answer 151

**API‐based CASB** API‐based CASB solutions interact directly with the cloud provider through the provider’s API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.

Answer 152

Inline CASB solutions intercept requests between the user and the provider

Answer 153

API‐based CASB solutions interact directly with the cloud provider through the provider’s API

Answer 154

**IP address** The defining characteristic of zero‐trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics, such as a user’s identity, the nature of the requested access, and the user’s geographic (not network!) location.

Answer 155

**OpenID Connect** OpenID Connect is an authentication layer that works with OAuth 2.0 as its underlying authorization framework. It has been widely adopted by cloud service providers and is widely supported. SAML, RADIUS, and Kerberos are alternative authentication technologies but do not have the same level of seamless integration with OAuth.

Answer 156

**IoC** Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoC). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Answer 157

**Hybrid cloud** The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.

Answer 158

full disk encryption (DAH!)

Answer 159

**Detail** While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Answer 160

**Cloud and network data collection and central analysis** Endpoint detection and response (EDR) tools do not collect data such as network traffic or cloud infrastructure. They do collect data from endpoints and centralize it for analysis and response, including forensic and threat detection capabilities.