Section 1 - Advanced Incident Response and Threat Hunting

Question 1

What is dwell time?

Answer 1

How long they have been in your network prior to being detected

Question 2

Delta

Answer 2

The time between penetration and time of detection

Question 3

What is the top way that a intruder is detected?

Answer 3

Abnormal high levels of traffic

Question 4

What is organised crime motivated by?

Answer 4

Money

Question 5

What are nation state actors (ATP) motivated by?

Answer 5

Information and IP theft

Question 6

What does ISAC stand for?

Answer 6

Intelligence Sharing and Analysis Center

Question 7

What are the six steps to incident response?

Answer 7

1) Preparation
2) Identification and Scoping
3) Containment/Intelligence Development
4) Eradication/Remediation
5) Recovery
6) Follow up/Lessons learned

Question 8

What does SOC stand for?

Answer 8

Security Operations Center

Question 9

What is the Pucker Factor?

Answer 9

Describing the level of stress in response to a danger

Question 10

What is the difference between a Hunting Organization and a Reactive Organization?

Answer 10

Hunting actively looks for incidents, Reactive starts when its notified

Question 11

What does IOC stand for?

Answer 11

Indicators of Compromise

Question 12

What does IR stand for?

Answer 12

Incident Response

Question 13

What does TTP stand for?

Answer 13

Tools, Tactics and Procedures

Question 14

What is containment for “Active Defense”?

Answer 14

Data decoy, bit mangling, Adversary network segmentation, Full-scale host/Network monitoring, Kill switch

Question 15

When do you use forensics vs threat hunting?

Answer 15

Forensics is when you don’t know anything about the enemy, Threat Hunting is when you have a signature.

Question 16

What three skills do you need on your IR team?

Answer 16

Host Forensics/IR
Network Forensics
RE Malware

Question 17

What are the four remediation event goals?

Answer 17

Deny access,
Restrict reaction,
Remove presence,
Degrade survivability

Question 18

What are the three remediation event plan steps?

Answer 18

Posturing
Execute
Implement Controls

Question 19

What are the eight phases of a successful intrusion operation?

Answer 19

Recon
Delivery
Establishing foothold
Maintaining presence
Privilege escalation
Lateral movement
Data collection
Data ex-filtration

Question 20

What are the three IOC types?

Answer 20

Atomic
Behavioral
Computed

Question 21

What is the Atomic IOC?

Answer 21

IP Address, string etc

Question 22

What is the Behavioral IOC?

Answer 22

Profile and Habits

Question 23

What is Computed IOC?

Answer 23

Hashes, IDS sigs etc

Question 24

Name four IOC sharing languages

Answer 24

Cybox
OpenIOC
STIX
Yara-project

Question 25

What are the three possible detection situations?

Answer 25

Malware active Malware exists but not active No malware but system compromised

Question 26

What are four common malware names?

Answer 26

Svchost.exe iexplore. exe iprinp. dll winzf32. dll

Question 27

Name three common service replacements

Answer 27

Wireless Zero Configuration Service RIP listener service Background Intelligent Transfer Service

Question 28

What are the seven most common malware locations?

Answer 28

``` Windows\system32 Temp folders Windows System Volume Information Recycle Bin Program Files Temporary Internet Files ```

Question 29

What does CRL stand for?

Answer 29

Certificate Revocation List

Question 30

Name five Malware Persistence Mechanisms

Answer 30

``` Autostart locations Service creation/replacement Service failure recovery Scheduled Tasks DLL Highjacking WMI event collections ```

Question 31

What is the start at boot run key?

Answer 31

0x02

Question 32

Besides unquoted service paths, how else can a service execute malicious code?

Answer 32

Modify failure recovery to start a program

Question 33

What is the legacy program for scheduled tasks in WinXP and Win 7?

Answer 33

at.exe

Question 34

What is the exe name for scheduling tasks?

Answer 34

schtasks.exe