Section 2: Compute and Application Attacks Flashcards
(37 cards)
In container-first organizers, what is the favorite container orchestration platform for automating deployments, scaling systems, and managing containerized applications?
Functions
Kubernetes
Docker
Lambda
315f5c52-5281-45e1-a853-cab63f10443d
Kubernetes is a container orchestration platform that, among many other things, automates deployments, scales systems as demand rises and falls, and manages the complex container environment with only management actions and configuration required from the end user. In container-first organizations, Kubernetes is a favorite, but it can be quite complicated.
Book 2 Page 5
A threat hunter has discovered that a Kubernetes dashboard is broadly accessible without any authentication. What could be the possible scenario?
Attackers must have compromised the service and disabled the authentication mechanism.
The threat hunter has yet to validate whether the dashboard has been accessed.
The administrator forgot to change the default settings, which do not require any authentication.
The administrator removed any required authentication temporarily and then forgot it.
9e12ad81-801f-4316-8fff-a30f2fa4159e
Typically, and by default, Kubernetes dashboards require credentials of some sort (e.g., username and password or token retrieved internally). However, in the Tesla Kubernetes Attack, Tesla’s administrative team removed any required authentication, and this dashboard, which allows full access to the entire Kubernetes deployment, was left wide open to attack.
It is important for a threat analyst to understand how infrastructure is deployed in their organization.
Book 2 Page 8
What is the attack method of using a legitimate or high-reputation cloud provider to proxy attacker traffic and hide malicious activities so that they remain undetected by defenders?
Session hijacking
Proxy hacking
Machine-in-the-Middle
Domain fronting
5e4f9cd5-548f-434f-a552-6b41d626e4f8
With domain fronting, attackers will oftentimes use a cloud provider (like CloudFlare) to simply proxy their traffic so that, to the victim, it looks like they are communicating with this cloud vendor — not the attacker’s infrastructure sitting behind this proxy service.
Book 2 Page 12
The Windows login attempt events can be found in which of the following event channels?
Information
System
Application
Security
f9c5078b-10bc-4959-94b2-923cbd2b0477
By default, Windows will generate many useful events within three different event channels:
- Application: These events are reported by applications installed on the operating system.
- Security: By far, the most useful event logs as many successful and unsuccessful actions are recorded here; which could help write the narrative of how the system was accessed and what was performed (to some degree).
- System: Operating system event data.
Book 2 Page 18
What does a security log with event ID 4624 and logon type 3 mean in Windows?
Successful network logon
Failed network logon
Failed remote interactive logon
Successful interactive logon
2fc10a1a-1fe1-450e-8a1a-1491b76b0e13
Event ID 4624 documents every successful attempt at logging on to a local computer. Logon Type 3 means it was a connection over the network.
Book 2 Page 19
In Red Hat-based systems, which log file records the authentication logs for both successful and failed logins?
/var/log/messages
/var/log/auth.log
/var/log/kern.log
/var/log/secure
922b80b8-f3b0-4ef9-9699-f325c7711745
Log file /var/log/auth.log in a Debian-based system and /var/log/secure in a Red Hat-based system keep security-related information such as authentication logs for both successful and failed logins.
Book 2 Page 24
In which version of macOS did Apple introduce its own proprietary logging system for operating system-generated log data, known as Apple Unified Logging (AUL)?
macOS 11
macOS 10.0
macOS 12
macOS 10.12
ecaee4e8-0137-44aa-8db3-2e9e3f5107dd
For cloud-based macOS systems (as currently offered by AWS), you must understand that macOS logging as of version 10.12 is quite different than your typical UNIX- or Linux-based distribution. Apple now has its own proprietary logging system for operating system-generated log data, known as Apple Unified Logging (AUL).
Book 2 Page 27
What argument can be used in the auditd rules file to create a rule looking for any access to a honey token?
-w
-h
-token
-p
b80ab111-dcaa-4292-bbfe-6df32dbc3794
The -w argument indicates a watch rule, meaning that any time the appealing file (honey token) is read, modified, or even deleted, it generates a log entry.
Book 2 Page 29
What can be used to easily increase/decrease CloudWatch data collected based on user-generated or automated events?
Systems Manager
Auto collector
Log monitor
WatchGuard
f20e561f-bfd4-4fe8-b910-d233a4e6bdff
With Systems Manager, you can easily increase/decrease the data collected based on user-generated or automated events.
Book 2 Page 38
What is considered a best practice when collecting AWS logs for threat hunting?
Determining how long to keep the logs
Only monitoring data live, without storing
Keeping all data permanently
Deleting data after accessing
04364a6f-2ebd-46c7-9971-00b3afbb5e15
A best practice for collecting AWS logs is determining how long to keep the logs based on your data retention policy and then setting the CloudWatch logs retention policy accordingly.
Book 2 Page 38
Which section of the CloudWatch config file specifies how often metrics are to be collected?
logging
collection
agent
config
ca395474-c484-4b31-987d-6ca52c01081b
The agent section includes fields that describe the overall configuration of the agent. The metrics_collection_interval field is optional but specifies how often all metrics in the config file are to be collected and the period of collection. Individual metric intervals can be overwritten, so consider this the global interval number.
Book 2 Page 40
A security engineer has been tasked with setting up a CloudWatch Agent to remove old log files after upload. What setting should be configured in the Logs section to accomplish this?
log_archive: “true”
cleanup_task: “true”
auto_removal: “true”
purge_prior: “true”
bc90da2b-b8bb-4b17-b486-09e58460c680
The Logs section is probably the most important for threat monitoring and detection. Applications running on your servers may contain the information that describes nefarious activity.
If auto_removal is set to true, the CloudWatch agent will remove old log files after they are uploaded.
Book 2 Page 43
What AWS-provided agent can be used to retrieve logs from an EC2 system to forward to a centralized, AWS-native service?
CloudWatch agent
Logging agent
Forwarder agent
SysLog agent
22d62aae-b58f-4e96-a683-408f40cd17bd
AWS has provided the CloudWatch agent. An open source application with Windows and Linux deployments, that can forward telemetry and logs from the EC2 to the AWS CloudWatch service. The CloudWatch agent can pull metrics and logs from a host system, gathering detailed telemetry and sending it to a CloudWatch Log Group.
Book 2 Page 44
A security analyst detects several 401 response codes over a short period in the web server access.log file. What can this observation indicate?
Distributed denial-of-service attack
Attempted password-guessing attack
Web server misconfiguration
Web content changed or misplaced
3244b9c7-6290-4b37-b7f5-50eb0f43a225
Several 401 response codes over a short period in the web server access.log file can indicate attempted authentication attacks. It is advantageous to look for a series of 401 messages if your web server application is in charge of authentication, as a 401 HTTP response identifies an unauthorized connection (i.e., a login failed attempt). The log data also identify which username the adversary attempted.
Book 2 Page 54
AWS Amplify access logs are available to download in which format?
TSV
Raw
CSV
JSON
6008a86f-d763-4470-a067-c363636094e8
Access logs are very minimal in the browser but can be downloaded in CSV format for more detail.
Book 2 Page 56
Which type of logs are available through the Azure app services?
OATH logs
Flow logs
O365 logs
HTTP logs
afb272c3-a3bd-4ffd-bc09-7bcd02eac38c
Azure app services provides customized logging via diagnostic settings, including HTTP logs (interactions between clients and web app service) and app service console logs (stdout/stderr of web application code).
Book 2 Page 57
When implementing AWS Elastic Load Balancing (ELB), what is something to be aware of for security monitoring?
Logging requires network load balancers.
Logging is not enabled by default.
Logging requires purchasing a third-party solution.
Logging is not supported.
2a4fda0f-f56d-4fef-8863-d8e832faf41a
One important thing to be aware of is that AWS ELB does not log by default. However, the customer has the option to enable logging to an AWS S3 bucket.
Book 2 Page 60
Which Azure service enables you to utilize a global application delivery network to make forwarding decisions based on layer 7 payloads?
Traffic Manager
Front Door
Back Door
Content Delivery
fe5ff4c5-ce60-43aa-92be-979591ff4a7d
Azure has two options that support global load balancing. The first of these options is the Azure Front Door service. This service enables you to utilize a global application delivery network to make forwarding decisions based on layer 7 payload.
Book 2 Page 63
What is an advantage of global deployment of nodes to serve static content to end users?
It reduces costs by expiring data.
It prevents attacks by keeping data in duplicate locations.
It allows for load balancing.
It places the data closer to the user.
dbd6cd58-e648-4152-b26c-7dda3fc5e175
One of the advantages of global deployment of nodes to serve static content to end users is that it places the data closer to the user. This can help to reduce the latency to all users requesting static content from the web server.
Book 2 Page 64
Which of the following enables logging user queries on an AWS MySQL RDS instance?
Set general_log to 1
Set general_log to 0
RDS logs queries by default
Set sql_log to 1
20272cdb-ac56-4e32-8882-c7ec1fc64592
By default, Relational Database Service (RDS) does not log queries. The configuration is controlled by what is called a parameter group. Within the parameter group, three different configuration items should be adjusted to capture the query logs:
- general_log: If set to 1, it is enabled and queries are captured (default is 0, or disabled).
- slow_query_log: If set to 1, queries that last longer than the number of seconds set in long_query_time will be captured (default is 0).
- log_output: Here, you can select whether you would like the log entries to be stored in the database instance itself (TABLE) or to a file on the database server (FILE). (default is TABLE)
Book 2 Page 74
Why is a container a better choice for an application than a virtual machine?
Containers can run any operating system.
Containers are application layer abstractions.
Containers do not require a hypervisor.
Containers take up much less disk space.
6079e7b9-d73b-459b-b5fb-cf31e8d896af
Containers help to make applications more portable — as you can package the operating system along with the application that is being developed, reducing their footprint on disk.
Book 2 Page 84
Why should secrets be added to the container environment and not be part of the container image?
Adding secrets to the image will automatically upload to github.
Images do not support adding secrets.
Secrets are removed during the image process.
Anyone with access to the image can access the secret.
434f8866-8ba7-4f80-bc00-82edabb17613
When using secrets within containers, it is a good idea not to include in the image build, as anyone with access to that image would have access to that secret. Add to that the challenge that every time a secret is rotated, the image must be rebuilt. The more appropriate method for using secrets in a container would be to set them as environment variables as the container is being started. However, if the container is compromised, those secrets could easily be recovered.
Book 2 Page 86
What command can be used to natively access Docker logs?
docker logs container-name
docker stdout container
docker configure-logging enable container
docker-displayoutput container_name
c1d4e336-bffe-42a5-bb30-3ef82cf21e5c
Docker logs are natively available via the following methods:
- stdout of the interactive (non-daemon mode) execution
- Docker logs container-name command
Book 2 Page 88
A cloud engineer notices that a Docker container had the following command executed: docker run –log-driver=awslogs. Where will the logs be stored?
Logstash endpoint
Local system’s journald
The configured syslog facility
AWS CloudWatch
715a68ae-96aa-47d8-a630-ba1cdfc40a80
Logs are captured internally within Docker, but many options exist to reformat or ship logs to a more effective location. Docker has a few options that control how data are formatted, as well as give the ability to ship the data outside of the platform through logging driver configuration flags, such as awslogs. The awslogs flag will forward log messages to AWS CloudWatch.
Book 2 Page 90
