Section 1: Management Plane and Network Attacks

Question 1

Of the following cloud service models, which provides the capability to deploy consumer created or acquired applications onto the cloud infrastructure created using programming languages, libraries, services, and tools supported by the provider?

Platform as a Service (PaaS)
Software as a Service (SaaS)
Internet as a Service (IaaS)
Infrastructure as a Service (IaaS)

ID: 2e6479b4-97f6-4856-be54-2e8cd065fedb

Answer 1

A Platform as a Service (PaaS) cloud service is used to deploy consumer created or acquired applications onto the cloud infrastructure created using programming languages, libraries, services, and tools supported by the provider. Under the hood, the PaaS is operating on top of an Infrastructure as a Service (IaaS). This gives the consumer the ability to provision processing, storage, networking, and other fundamental computing resources where the consumer can deploy and run arbitrary software, which can include operating systems and applications. Software as a Service (SaaS) is the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure.

Book 1 Page 6

Question 2

According to NIST, which of the following features in the cloud service allows customers to automatically provision the computing resources?

Rapid elasticity
On-demand self-service
Broad network access
Measured service

ID: 6e5c635c-5009-4069-a4b5-86b2096d0d2f

Answer 2

Five essential characteristics distinguish a cloud service from a traditional “shared hosting service” or one of the predecessors to cloud computing:

• On-demand self-service: A consumer can provision the computing resources automatically, without requiring another human interaction for each service provider.
• Rapid elasticity
• Measured service
• Broad network access
• Resource pooling

Book 1 Page 43

Question 3

The process of identifying potential security threats and vulnerabilities and prioritizing the controls or detections that need to be included is known as which of the following?

Threat modeling
Vulnerability assessment
Threat mitigation
Vulnerability management

ID: 102c2f6f-c429-406d-bc5a-577c9825bca3

Answer 3

Threat modeling is the process of understanding the threats and potential vulnerabilities of your organization; understanding what kind of attacker might go after your particular environment. Hospitals and city municipal environments are targets for ransomware attacks, while producers of internet/software technologies might be vulnerable to supply chain attacks. Understanding what an attacker might attempt against your environment will help focus your detections, analytic capabilities, and your security improvements.

Book 1 Page 15

Question 4

Which MITRE ATT&CK technique looks to see if storage accounts are available, virtual machines are accessible, or identity access management policies can be manipulated?

Account Discovery (T1087)
Network Service Discovery (T1046)
Cloud Service Discovery (T1526)
Cloud Infrastructure Discovery (T1580)

ID: fac57ee4-d3e8-41b5-8576-730e8206ed63

Answer 4

With the Cloud Service Discovery (T1526) technique, the attacker uses the cloud API service to determine which cloud services are available. Cloud Infrastructure Discovery (T1580) is similar to Cloud Service Discovery; Cloud Service Discovery looks to see if storage accounts are available, virtual machines are accessible, or identity access management policies can be manipulated. Cloud Infrastructure Discovery looks for the individual resources that are part of the services, such as: what the storage accounts are called; how many virtual machines are accessible; and whether the attacker can update the IAM policy to give themself admin access.

Book 1 Page 39

Question 5

An analyst needs to investigate Application Programming Interface (API) calls to the AWS environment. What AWS service would the analyst use to investigate the API calls?

Guard Duty
CloudTrail
CloudWatch
Lambda

ID: 6068a7e6-eff9-43ac-9cc0-f920a7077a58

Answer 5

CloudTrail tracks Application Programming Interface (API) calls to the AWS environment and provides tools for interacting with the cloud.

Book 1 Page 48

Question 6

When enabling Azure NSG Flow Logs, what is the main advantage of version 2 over version 1?

Version 2 captures the amount of network traffic.
Version 2 indicates whether the traffic is allowed or denied.
Version 2 includes timestamps of network communication.
Version 2 includes flow states.

ID: 00b94b50-2bf4-4b9c-9970-f9ae890ded28

Answer 6

When enabling NSG Flow Logs, there are two versions to choose from: version 1 and version 2. The advantage of version 2 over version 1 is that flow states are included. In other words, it can help answer questions, such as: is the flow in this record brand new, a continuation of an older flow, or is it the end of the flow?

Book 1 Page 130

Question 7

Which CloudWatch tool can be used to parse the logs and perform queries across them?

Logs Insights
Logs Analytics
Logs Visualizer
Logs Metrics

ID: 91a051dd-ab54-4b55-9af7-d82eab21315e

Answer 7

AWS provides the CloudWatch Logs Insights, a user interface that makes it easier to query across logs. The CloudWatch Logs Insight Query syntax is a stripped-down query language for crafting the queries. The query language lets you control what is displayed, filtering based on fields matching regular expressions or performing basic mathematical comparisons, performing aggregate statistics on the logs, and operating on data inside of unformatted strings.

CloudWatch Insights can parse VPC Flow Logs, Route 53 logs, Lambda logs, CloudTrail logs, and JSON-formatted logs. Other logs will require just-in-time parsing as part of the query syntax.

Book 1 Page 91

Question 8

Which of the following extends Azure Log Activity and allows for more granular searching?

LogView
Log Analytics workspace
CloudWatch
Application insights

ID: 97e32a0e-5472-45c9-b47f-db74d7daabaa

Answer 8

Azure Log Analytics Workspace is a logical storage unit in Azure where all log data generated by Azure Monitors are stored. It can be advantageous to send data to a Log Analytics workspace to allow more granular searching.

Book 1 Page 106

Question 9

Which of the following attack vectors is likely to be leveraged by cybercriminals to gain initial access to a victim’s cloud environment?

Phishing
Misconfiguration
Malicious insider
Drive-by compromise

ID: bb303c6e-a2ee-4d1e-81f6-21e2e126b04c

Answer 9

Most initial access to a victim’s cloud environment tends to fall into one of three categories:

1. Attacker found an unconfigured or default access vector
2. Hacking an application
3. Attacker found or brute-forced credentials

Book 1 Page 10

Question 10

Which of the following Azure networking services can monitor and repair the network health of virtual machines?

Azure Network Watcher
Azure Monitor Insights
Azure ExpressRoute Monitor
Azure Packet Manager

ID: 32dddb3f-0766-4967-8b1a-f9ce5e188712

Answer 10

According to the documentation, “Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure as a Service) products, which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.”

Book 1 Page 143

Question 11

How many CloudTrail records are created for each API call?

5
10
2
1

Answer 11

CloudTrail records a single JSON object for every API call.

Book 1 Page 58

Question 12

In the AWS CLI command below, which of the following parameters can be utilized in order to return just the EventTime?

aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName, AttributeValue=ListBuckets

–option
–filter
–grep
–query

ID: d89f6497-10b6-4d1c-af03-9a7eba2a289e

Answer 12

The –query parameter in the command line can be used to limit which values are returned. The –query parameter accepts strings that are compliant with the JMESPath specification.

Book 1 Page 78

Question 13

Which cyber threat intelligence resource provides remediation guidance for the most critical web application security risks based on a consensus among security experts from around the world?

OWASP Top 10
CIS Critical Security Controls
CIS Benchmarks
MITRE ATT&CK Matrix

ID: 6a62683d-9988-4e0a-b5be-ce17673aa4b1

Answer 13

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Every few years, OWASP publishes the “Top 10 Web Application Security Risks” based on observed attacks in the wild. This top ten list details the attack basics, how it works, and how to mitigate it. It is globally recognized by developers as the first step toward more secure coding.

Book 1 Page 31

Question 14

What AWS service provides interactive query service of S3 buckets?

Athena
Aurora
S3 Browser
Kinesis

ID: f9b018cb-c268-45ed-bad2-3adcd19cf68b

Answer 14

Amazon Athena is an interactive query service that makes it easier to use standard SQL to analyze data across an S3 bucket. You pay per query and the S3 storage, but it is considered serverless.

Athena is built on top of S3 and AWS Glue Data Catalog but automates the data cataloging. If you know the format of the data and understand the SQL language, you can start running queries quickly.

Book 1 Page 121

Question 15

Which AWS tool provides performance analysis through contributor insights?

CloudTrail
GuardDuty
CloudWatch
Security Hub

ID: 97395b0c-a585-4210-9eb5-a1b34cf3ff28

Answer 15

CloudWatch is AWS’s log collection and analysis service. It offers the following features: log collection and search; customizable but limited dashboards; automated event responses; docker container analysis from container insights; performance analysis through contributor insights; and web URL testing from canaries.

Book 1 Page 86

Question 16

Which of the following is a framework of best practices that provides a prioritized list of measures organizations can take to mitigate cyber risks?

OWASP Top 10
CIS Benchmarks
CIS Critical Security Controls
MITRE ATT&CK Matrix

ID: 7a0b92c8-a727-4142-8901-777b4399042f

Answer 16

The CIS Critical Controls v8 is a set of eighteen controls organizations should have in place to better protect their infrastructure. For threat detection, these controls are useful when doing threat modeling.

Book 1 Page 33

Question 17

Which operations are included in Azure Activity Log?

Only actions that create, update, and delete a cloud resource
Only actions that read, modify, and delete a cloud resource
Only actions that read and modify a cloud resource
All the actions that were performed within a cloud resource

ID: d154daed-48af-4f18-bf3a-069451295860

Answer 17

Azure Activity Log provides visibility into API activity within the Azure subscription. Any user account or cloud service that makes a change to the environment will be logged. This means that read-level API calls will not be captured here — only actions that create, update/modify, or delete a cloud resource.

Book 1 Page 62

Question 18

Where can you find records of API calls made to your environment?

IMDS
Logging service
IAM roles and policies
User accounts

ID: 14e5636b-c4fa-4211-893a-87f94957994e

Answer 18

You can access API calls through the cloud service provider’s logging services.

Book 1 Page 47

Question 19

Which of the following is a feature of VPC Flow Logs in CloudWatch?

Great for building metrics
Easy to archive
Difficult in filtering
Objects are compressed in gzip

ID: 473cb838-8c00-423f-a42f-31d1ecee39ae

Answer 19

VPC Flow Logs are sent to either S3 or to CloudWatch. Each log flows into CloudWatch individually. In addition to providing filtering and display tools, CloudWatch is great for building metrics and rules.

Book 1 Page 120

Question 20

Which command would provide evidence of an attacker trying to discover S3 buckets?

aws s3api list-buckets
aws cloudtrail lookup-events
aws sts get-caller-identity
aws cloudtrail query

ID: 80045f13-7f25-4132-b7df-ee4207c87ac0

Answer 20

You can detect when someone performs a ListBuckets command to the S3 service’s API. The command line is aws s3api list-buckets, which will conduct a ListBuckets request.

Book 1 Page 52

Question 21

For the Cloud Service Discovery attack, what data sources are listed that we would need?

Lab Notes

Answer 21

AWS CloudTrail logs, Azure activity logs, StackDriver logs (GCP).

Question 22

What AWS feature can capture information about IP traffic going to and from the network interfaces in VPC?

Network ACL
Security Group
VPC Flow Logs
CloudWatch Logs

b8c8b431-17ff-4529-91e2-ec219797a339

Answer 22

VPC Flow Logs is a feature that lets you capture information about IP traffic going to and from the network interfaces in a VPC. You create a flow log that directs the data to a bucket for further analysis.

Book 1 Page 116

Question 23

What tool was used to filter and extract the JSON data from AWS CLI output?

jq
cut
sed
jquery

83f67ea8-8973-4ade-9303-687ac948575a

Answer 23

jq is a lightweight and flexible command-line JSON processor that you can use to extract JSON data. The jq tool allows the user to filter, slice, map, and change the data with simple commands.

Book 1 Page 80

Question 24

What AWS service provides interactive query service of S3 buckets?

Aurora
S3 Browser
Kinesis
Athena

f9b018cb-c268-45ed-bad2-3adcd19cf68b

Answer 24

Amazon Athena is an interactive query service that makes it easier to use standard SQL to analyze data across an S3 bucket. You pay per query and the S3 storage, but it is considered serverless.

Book 1 Page 121

Question 25

If an analyst wants to start a packet capture using Azure Network Watcher, which of the following outbound traffic rules must the analyst allow in order to start the packet capture? To 168.63.129.16 over 8038/tcp To Azure Network Controller over 443/tcp To the chosen storage account over 3389/tcp To 169.254.169.254 over 80/tcp ## Footnote 75b78d7b-9b95-4bf3-8e69-cb1bb398d147

Answer 25

When creating a new packet capture, there are several prerequisites that must be in place regarding outbound network traffic. The chosen VM must have unfettered access to the storage container over TCP port 443 (if one was specified to store the packet capture), outbound TCP port 80 access to 169.254.169.254, and outbound access to 168.63.129.16 over TCP port 8037. ## Footnote Book 1 Page 144

Question 26

Which of the following requires adversaries to have a valid account credential to launch their attack? Steal App Access Token Forge Web Credentials MFA Request Generation Steal Web Session Cookie

Answer 26

With **MFA Request Generation**, the attacker generates Multifactor Authentication (MFA) requests that are sent to a user who approves the request for them. If the attacker already has valid account credentials, but not the 2FA or MFA mechanism, the user is bombarded by MFA requests until they approve. ## Footnote Book 1 Page 111

Question 27

What version of VPC Flow Logs contains regions and availability zones information? 3 2 4 5 ## Footnote df93e234-6c05-47cd-8f6b-b270ec40b8fb

Answer 27

By default, a flow log will contain version 2 data. However, updates to flow logs have given users the ability to put additional data into the VPC Flow Log. **Version 4** expands to regions and availability zones and supports AWS's outpost, wavelength, and local zone deployments. ## Footnote Book 1 Page 118

Question 28

Which of the following filter options is used to control allowing or blocking traffic in the AWS VPC traffic mirroring rule? Traffic direction Rule number Protocol Rule action ## Footnote 045b56b8-e292-4332-ad05-5efe455a3812

Answer 28

Rule action is either accept or reject. You can use this to control whether this rule is allowing or blocking traffic. Used with precedence, you can create a single filter for sending HTTP traffic to one target. Then, another filter is created that allows all traffic, but rejects HTTP, and is sent to another target. ## Footnote Book 1 Page 142

Question 29

What query language is used in the Azure Log Analytics workspace to efficiently filter and parse event data? Stripped-down Query Language Structured Query Language Kusto Query Language JSON ## Footnote 5f62c5f9-88ed-4533-94e2-36f3474a265e

Answer 29

**Kusto Query Language** (KQL) is used to effectively filter and parse event data once the data are arriving at an Azure Log Analytics workspace. There are many operators and functions that can be used to select, process, and present the data that an analyst may be trying to identify. ## Footnote Book 1 Page 101

Question 30

Which MITRE ATT&CK brute force, sub-technique uses lists of compromised user credentials to breach the target? Credential stuffing Password cracking Password spraying Password guessing ## Footnote 14627a97-c02a-44bf-ba57-f00af7e1631f

Answer 30

**Credential stuffing** is simply taking credentials discovered in one breach and reusing them against the target. People tend to reuse credentials, especially if they are not using a password manager. ## Footnote Book 1 Page 112

Question 31

Which of the following is a knowledge base and framework for cyber adversary behavior, tactics, and techniques based on real-world observations? OWASP Top 10 Atomic Threat Indicators MITRE ATT&CK Matrix CIS Critical Security Controls ## Footnote b3e60ed5-4c31-41ee-aabc-e42d0e28a190

Answer 31

MITRE is a federally funded research company that has a research and development center that focuses on cybersecurity. One of their many contributions to the public is the MITRE ATT&CK Framework. ATT&CK, which stands for Adversary Tactics, Techniques, and Common Knowledge, attempts to bring order to the chaos of cataloging and describing how attackers operate in infrastructure. MITRE has multiple frameworks that focus on different environments, including one specifically for cloud infrastructure. ## Footnote Book 1 Page 28

Question 32

How many CloudTrail records are created for each API call? 1 2 10 5 ## Footnote 58437640-f207-42b5-9e12-b0f48bafd9ac

Answer 32

CloudTrail records a single JSON object for every API call. ## Footnote Book 1 Page 58

Question 33

Which CloudTrail event type is used to track API actions on the S3 objects? Management events Insight events Security events Data events ## Footnote 02738d8c-4a43-454a-8776-68bf5c121c3f

Answer 33

**Data Events** track API actions on the S3 objects with information such as AWS account of caller, API call, and other details. It can be applied to specific S3 buckets or all buckets in the account. ## Footnote Book 1 Page 50

Question 34

In which format are CloudTrail logs recorded and stored? JSON YAML CSV XML ## Footnote dbe3229c-4723-4de0-9d1b-2084939a2b0b

Answer 34

Each CloudTrail log, or the metadata from a unique API call, is stored as JSON data. This makes it easy to extract and evaluate with tools and programming languages. ## Footnote Book 1 Page 48

Question 35

Which of the following tools can provide an analyst with good visualizations of AWS services? AWS Management Console AWS SDK AWS CLI AWS Visualizer ## Footnote b17e8762-bbc9-48f1-a473-43cec117091e

Answer 35

The **AWS Management Console** provides a set of user interfaces, wizards, and tools to help make sense of the AWS resources. Any create, read, update, delete, and list of AWS resources is done by the web application making a specific call to the service API in a region. ## Footnote Book 1 Page 45

Question 36

What is the default retention period of log groups in CloudWatch? 1 day 365 days 3,653 days Forever ## Footnote a393bacb-ca27-412b-8f67-139ab6f334e5

Answer 36

CloudWatch log groups can have a set retention period between 1 day and 3,653 days. Log groups without a retention period are **defaulted to forever**. ## Footnote Book 1 Page 88

Question 37

What type of authentication is always recommended for humans logging into any infrastructure? API key ID and secret key Strong passphrase Multi-factor authentication Complex password ## Footnote f74eee63-bc13-46d6-a765-26eb05ca472f

Answer 37

Humans logging into any kind of infrastructure should always use multi-factor authentication (MFA). AWS and Azure have published articles on how to implement MFA properly. An MFA method would have stopped this attack in its tracks. ## Footnote Book 1 Page 12

Question 38

Which of the following requires adversaries to have a valid account credential to launch their attack? Steal App Access Token MFA Request Generation Steal Web Session Cookie Forge Web Credentials ## Footnote 273d958c-584b-4402-815e-93421fc4ab67

Answer 38

With MFA Request Generation, the attacker generates Multifactor Authentication (MFA) requests that are sent to a user who approves the request for them. If the attacker already has valid account credentials, but not the 2FA or MFA mechanism, the user is bombarded by MFA requests until they approve. ## Footnote Book 1 Page 111

Question 39

What is the action or process of identifying the presence of something concealed? Detection Incident response Monitoring Threat hunting ## Footnote 6e0cedfd-6155-4781-ac6d-83892a71034b

Answer 39

Monitoring is used to observe and check the progress or quality of something over time. **Detection** is an action or process of identifying the presence of something concealed. Threat hunting is trying to identify active threats in your environment that are not being detected. Incident response is the process by which an organization handles a data breach or cyberattack. ## Footnote Book 1 Page 22

Question 40

Which tool can an Azure cloud administrator use to collect, analyze, and act on telemetry data from Azure and on-premises environments? Azure SIEM Azure Monitor Azure CloudWatch Azure LogView ## Footnote c87f8c59-6bcd-4552-96c7-d18762415780

Answer 40

Similar to AWS CloudWatch, **Azure Monitor** is Azure's answer to all things monitoring. This service has a lot of features: * Troubleshooting service health * Collecting data from many types of resources, inside and outside the Azure environment * Analyzing data once it is ingested into this service * Aiding in automated alerts based upon user-provided queries that run at regular intervals ## Footnote Book 1 Page 98