Section 3: Security Services and Data Discovery

Question 1

Which of the following pieces of information do attackers typically try to gather from an application running on a Cloud system when they perform an SSRF attack?

Application secret key and token
User credentials
Application private certificate and secret key
Application cookie and private certificate

b5af1104-a068-4ffb-bd9d-9bf15605ba09

Answer 1

During the Capital One attack, the attacker asked the application to return its own secret key and token information provided by the AWS management environment by querying the metadata service.

Book 3 Page 8

Question 2

An attacker queries the metadata service of an EC2 system with an IP address of 169.254.169.254. What information would they receive from the metadata service that can enable them to make calls to AWS API from an attacker’s machine?

Temporary access token
API key
System password
Metadata ID

dabaca1e-7791-4339-a5db-302a6f3e6e78

Answer 2

This metadata service is available by querying the IP address 169.254.169.254, which acts as a REST interface. This is not a normal IP address that is routable to some web server in AWS.

The metadata service interacts with the AWS IAM service to create a temporary access token for that instance that can be used to make calls for resources through the AWS API.

Book 3 Page 10

Question 3

What is the next step after Cloud Service Discovery that an attacker typically performs to determine which infrastructure is available for different services?

System infrastructure discovery
Cloud infrastructure discovery
Cloud service scanning
Cloud infrastructure scanning

229b11f1-0340-4280-a651-b4ff2e4915b4

Answer 3

Right after a Cloud Service Discovery, the attacker will do Cloud Infrastructure Discovery (T1580), which determines the infrastructure available from these services.

Book 3 Page 11

Question 4

What rule should be followed when provisioning bucket access to a web application?

IAM access analyzer

Star (*) permissions

Least privilege

Full access

2799230a-f8a4-405d-8aa7-9ce5b9246387

Answer 4

When building new tools and testing them out, developers tend to create roles that are over provisioned, thus violating the rule of least privilege. As a security professional, you always want your compute application to be granted only the permissions it absolutely needs.

Book 3 Page 13

Question 5

What three pieces of information are needed to configure an AWS CLI on any workstation?

SecretAccessKey, Credential, and Token
AccessKeyID, SecretAccessKey, and IP Address
AccessKeyID, SecretAccessKey, and Token
AccessKeyID, Password, and Token

287cf37c-cacd-4319-9cc1-d41b1b400a9e

Answer 5

AccessKeyID, SecretAccessKey, and Token. These three pieces of information are all that is needed to configure an AWS CLI on any workstation — even sitting at home, with the credentials necessary to make calls to the AWS API service as if they were the inspector-role. They would simply need to update the AWS CLI’s credentials file3 to use the retrieved secrets.

Book 3 Page 28

Question 6

An analyst would like to query Azure metadata services. What should be the value of the custom header field for them to be able to perform this?

Securitytoken:true
Encrypted:true
Metadata:false
Metadata:true

cd4daffe-0e2e-40e7-bec0-8f93f2509084

Answer 6

Azure requires a custom header to be sent as part of the HTTP GET request. The value of the header must be Metadata:true to signify in the request that: yes, you know this is for metadata and nothing else. Without the header, the Azure metadata service will drop the query.

Book 3 Page 31

Question 7

Azure has two types of managed identities. Which managed identity is enabled on the cloud resource and has a lifecycle tied to that of the resource?

User-assigned
Metadata-assigned
Cloud-assigned
System-assigned

9d9abab7-ba2a-4b19-9aad-d05b4253ab96

Answer 7

System-assigned managed identity is enabled on cloud resource, and its lifecycle is tied to that of the resource. System-assigned allows the Azure customer to allow Azure to generate and assign a new identity during a cloud resource deployment (or even after the resource has been provisioned). The lifecycle is also handled by Azure in that, when the cloud resource in which this identity is assigned is deleted, so is the identity.

Book 3 Page 32

Question 8

AWS implemented the IMDSv2 service to add a layer of security on metadata service calls. What HTTP method needs to be used as a part of the IMDSv2 metadata call?

HTTP GET method
HTTP HEAD method
HTTPS PUT method
HTTP PUT method

ec084689-75fa-4847-a6cc-af308954be24

Answer 8

While communicating to IMDSv2, the cURL command must use an HTTP PUT command to /latest/api/token to return a TOKEN value. Applications that are vulnerable to SSRF are usually performing a GET; the requirement for a PUT will plug up that hole.

Book 3 Page 33

Question 9

Which AWS service can be used to locate the use of EC2 IMDSv1 tokens?

AWS AccessAnalyzer

AWS GuardDuty

AWS CloudTrail

AWS CloudWatch

b57a45af-c1a1-4f95-8f18-5090f0578180

Answer 9

CloudWatch has a metric of MetadataNoToken that tracks calls to the IMDSv1 service on EC2s through CloudWatch agent.

Book 3 Page 34

Question 10

An analyst is dealing with lot of findings generated through GuardDuty. What could they do to limit and remove findings from the dashboard?

Suppression rule
Signature rule
Filtering rule
Alerting rule

9702172b-9434-4304-929a-aa08be39c293

Answer 10

GuardDuty can be noisy, and it may flag activity that is normal in your environment, or you may not wish to see reports. To limit and remove findings from the dashboard, you can create a filter and apply it as a suppression rule.

Book 3 Page 42

Question 11

Which of the following accurately describes serverless architecture?

Executing software without having to manage the compute resources under it

Using continuous integration and continuous deployment to deploy new software

Deploying new software into a cloud hosted EC2 instance

Executing infrastructure as code to deploy new infrastructure

40ca896-bb52-4a31-95d1-cc4e1803c6f8

Answer 11

A serverless architecture means that the customer does not manage the underlining compute resource, elasticity, and deployment.

Book 3 Page 46

Question 12

Which of the following accurately describes serverless architecture?

Deploying new software into a cloud hosted EC2 instance

Executing software without having to manage the compute resources under it

Using continuous integration and continuous deployment to deploy new software

Executing infrastructure as code to deploy new infrastructure

540ca896-bb52-4a31-95d1-cc4e1803c6f8

Answer 12

A serverless architecture means that the customer does not manage the underlining compute resource, elasticity, and deployment.

Book 3 Page 46

Question 13

Which of the following would be a good use of AWS Lambda?

Sending a notification to the user when their order status has changed
Running a permanent website using Python Flask framework
Performing a one-time update of a database table
Executing workloads that require local access to resources

9ac389b8-3291-4a91-9c6f-6289f5b4b02d

Answer 13

Sending a notification to the user when their order status has changed

AWS Lambda is a serverless compute service that lets you run arbitrary code when an event occurs. Long running applications or ones that need local resources are better served with alternate services.

Book 3 Page 47

Question 14

Which unique feature of Azure Functions helps ensure application of least privilege?

Invocation options

IAM principals

No concurrency limit

Input/output bindings

18f2425a-d4d2-4e77-86bf-1a5d7e62472f

Answer 14

Azure Functions supports resource binding for input and output. In the configuration of the Azure function, you specify the Azure Blob that data will be read from or written to.

Book 3 Page 48

Question 15

Which Lambda/Functions logging feature can be used for troubleshooting an application?

Log and print statement recording
Log Forwarding
CloudWatch log groups
General execution information

c9727066-0049-4fdb-871c-27bb4a3c3eff

Answer 15

AWS Lambda and Azure Functions will record logging/print statements from the app itself. Normally you turn this off to reduce costs, but it might be necessary for application troubleshooting.

Book 3 Page 49

Question 16

How do Lambda functions access sensitive environment information?

Stored in protected S3 buckets
Sending an HTTP request to a service on a local port
Querying the AWS secrets server
Injected environment variables at runtime

b847ce7a-0c44-4330-9a47-507ae01677d8

Answer 16

Lambda makes key data available through environment variables that are injected into the runtime environment of the Lambda function upon execution.

Book 3 Page 50

Question 17

What attack can be performed where the goal is to execute code within the operating environment of a Lambda function in order to return the sensitive information stored in the environment variables?

Privilege escalation
Data exfiltration
Command injection
Denial of service

3a68f177-6d65-4e79-a81f-2bc18ceecdf5

Answer 17

Command injection, or command and scripting interpreter attack, is when the attacker abuses the execution of a command, script, or binary by providing an input value that was not expected. A typical command injection vulnerability comes from improperly sanitized inputs.

Book 3 Page 51

Question 18

When interacting with a cloud environment, which tool offers the least amount of customization?

Command Line
SDK
CLI
GUI

b16c75ca-a5f6-45f4-885a-74c537fc9e2f

Answer 18

One drawback of using web GUIs to access cloud environments is that they are designed for a broad audience and not tailored specifically to your needs.

Book 3 Page 59

Question 19

Which of the following provides a way to add metadata to your AWS or Azure resource that is user controlled?

Keys
Comments
Tags
Metadata

588e5ca9-d54a-4cfb-8626-523feac143a0

Answer 19

Tags are a way to add metadata to your AWS or Azure resource that is user controlled and can greatly help in an investigation. Tags themselves have no special magical property, but they can be used to change the way IAM policies work, how your automations use the resource, and how you bill sub teams.

Book 3 Page 69

Question 20

What feature can cloud customers use to add metadata to AWS or Azure resources?

Instance Metadata Service

Pins

Notes

Tags

edc3c507-8185-4ada-a073-8be6295813b2

Answer 20

Tags are a user-controlled way to add metadata to your AWS or Azure resource that can significantly help in an investigation. They have no particular magical property in and of themselves, but they can change how IAM policies work, how your automation uses the resource, and how you bill sub-teams.

Book 3 Page 69

Question 21

Which of the following is an AWS resource inventory, configuration history, and configuration change notification service?

AWS Security Hub
AWS Config
AWS Configuration Manager
GuardDuty

dba1d1a5-7af0-468c-94db-4008089300e4

Answer 21

AWS Config was introduced in November of 2014 as an AWS resource inventory, configuration history, and configuration change notification service. AWS has since expanded AWS Config to support integration of compliance and conformance packs with configuration rules that let you define how resources should be configured and perform alerts or automated response actions when the rule is broken.

Book 3 Page 71

Question 22

Which AWS service focuses on resource inventory and configuration history?

AWS GuardDuty

AWS Configuration Manager

AWS Glacier

AWS Config

adb6bff4-12f4-4158-882c-d9a4194fbefa

Answer 22

AWS Config was introduced in November 2014, initially focusing on resource inventory and configuration history.

Book 3 Page 71

Question 23

As an analyst, which of the following AWS services can be utilized to see a timeline of changes, details of changes, and to help tell the story of the resource?

AWS Config
AWS SecurityConfig
AWS GuardDuty
AWS SecurityHub

9a5454da-3f9e-4310-a8bd-36da45961634

Answer 23

AWS Config provides GUI and command-line access to resources and relationships. It gives a timeline of changes, details of changes, and can be used to help tell the story of the resource.

Book 3 Page 77

Question 24

An analyst would like to use the “Run Command” feature to launch customized commands and search for IoCs on AWS cloud systems. Which of the following is a requirement to perform this?

Target instances should have EDR installed.
Target instances should be SSM-managed.
Target instances should be reachable from the Internet.
Target instances should be running Linux.

483a01b5-2969-4088-a0a6-a4587c403423

Answer 24

The AWS System Manager (SSM) is an agent that runs on your EC2s with a dedicated GUI to run operations on your EC2s. The real power of System Manager is how the AWS service can collect some of the results and provide visualizations and invoke automations. System Manager was built to run commands across a fleet of systems and can be used to use the Run Command feature.

Book 3 Page 86

Question 25

An analyst has executed an AWS SSM Run Command via the CLI to perform discovery on a few systems. What value from the command run would they need to query to see the results of the Run Command? instance-ids CommandInvocations document-name CommandId ## Footnote 54783b4a-67a2-40f0-ba09-303604555050

Answer 25

While the Run Command will execute, it will not return the results of the command. It only returns the results of the fact that you created the command, and it is waiting for the SSM agents to grab it. You will need to include the **CommandId** flag to see the results of the Run Command. ## Footnote Book 3 Page 92

Question 26

Which of the following is a limitation of most vulnerability scanners with regard to performing searches for known IoCs on systems? They only work with plaintext files. They require an endpoint agent. They only support Linux systems. They do not work remotely. ## Footnote 96656e66-bd5a-49fa-9df6-cf571d68523e

Answer 26

Many vulnerability scanning vendors support some level of custom plugin or script development that you, as the administrator, can utilize to search for potentially malicious data. The caveat is that this method only works with plaintext files. ## Footnote Book 3 Page 94

Question 27

Which of the following is the recommended way to perform search and discovery of sensitive data in AWS cloud storage solutions? Run search commands using SSM Agents. Use AWS Macie for inventory and searching. Use vulnerability scanners. Use DLP solutions. ## Footnote b01422a7-8914-4a91-9000-4377d4692b79

Answer 27

Macie first generates an inventory of the account’s S3 buckets. While doing this, several best practices are assessed and can provide recommended deviations. You can also extend Macie beyond its default capabilities. Since it has visibility of AWS S3 bucket contents, AWS Macie can conduct searches for sensitive data using machine learning and pattern matching. ## Footnote Book 3 Page 96

Question 28

Which of the following can be leveraged to parse the content in configured backend datastores while using Azure Cognitive Search? Lucene Query Syntax Structured Query Language Kusto Query Language Boolean Query Syntax ## Footnote 9fc23e90-3f58-4e91-b218-2d49f56acbbd

Answer 28

A Lucene-formatted query can be leveraged to parse the content in the configured backend datastores. Luckily, within the Azure Search services, there is a component that aids in the creation of these queries and will even convert the query string to URI-encoded, as this search may be leveraged by other, authenticated Azure applications. ## Footnote Book 3 Page 102

Question 29

An analyst would like to perform searches on Lambda functions in AWS looking for usage of credentials. Which of the following would you recommend to perform this? AWS Inspector AWS Macie Custom scripts Azure Cognitive Search ## Footnote d5aad129-9274-47be-9a73-c4a1c6c0931e

Answer 29

Since the command-line tools make these data easy to retrieve and transform, wrapping the tool output in another scripting language (with a little bit of regex) makes discovering the data relatively easy (**Custom Scripts**). Using a little command-line knowledge, you are able to retrieve the underlying Lambda code, decode it, and look for the sensitive data. ## Footnote Book 3 Page 104

Question 30

Which AWS native security tool displays a security score indicating the percentage of how compliant the cloud instance is with a certain framework? Inspector Security Hub Systems Manager Firewall Manager ## Footnote fd22dc0f-eef5-47db-9152-b13faac40320

Answer 30

AWS Security Hub is a service that brings in alerts from multiple AWS services and third party services. It rolls up the appropriate data and presents the security findings to the customer in an easy-to-digest format. AWS Security Hub can break down different compliance frameworks in the form of a security score. This score will show a rough percentage of how compliant the customer's cloud environment is with a certain framework. ## Footnote Book 3 Page 111

Question 31

Which cloud native tool can check for and alert on service misconfigurations in Azure? Macie Defender GuardDuty Security Hub ## Footnote 0d161886-08c9-4712-893c-2e56bfc9bb85

Answer 31

Microsoft Defender for Cloud is the Azure solution for posture management and protecting workloads. It will look for and evaluate service misconfigurations. Microsoft Defender for Cloud breaks this down into three distinct sections. The Description section explains the finding and how the proper setting could enhance your security posture. ## Footnote Book 3 Page 113

Question 32

Which of the following vulnerabilities in cloud implementations is more easily found using network-based analysis rather than host-based analysis? Service configurations Application versioning Abnormal listening applications OS patch levels ## Footnote 6d87da04-8229-4976-957a-5b95dd50eb3d

Answer 32

Not only should network traffic be limited to approved systems — both inside and out — but the customer should be aware of any **abnormal network connections** that either are or could be established with their systems. Normal network connections for the given environment would be very good to be aware of so that abnormalities can be spotted. A network vulnerability scan can be one way to identify these strange listeners or vulnerable, external-facing services on the virtual machine. ## Footnote Book 3 Page 114

Question 33

When comparing network vulnerability scanners and host-based scanners in the cloud, what is an important key detail to remember regarding network vulnerability scanners? Compared to host-based scanners, network scanners provide more complete data. Network scanning is only a small part of the picture. Service configuration specifics will be found more easily with network scanning. Host scanners have no visibility into applications not listening on ports. ## Footnote 80d0b0b8-519c-41f0-b766-2b19e55a85bd

Answer 33

Network vulnerability scanning is only a small part of the picture: * No specifics to service configuration—only sees "from the outside" * No visibility of unexposed services at all unless an authenticated scan is conducted Host- or agent-based scanners provide much more complete data: * Unexposed application configurations and versioning * Operating system configurations and patch levels ## Footnote Book 3 Page 115

Question 34

An analyst would like to set up a vulnerability management service within their AWS cloud environment. Which of the following native tools can the analyst use to perform network and host assessments in AWS? GuardDuty Security Hub Inspector CloudWatch ## Footnote 1ef09211-d8dd-4236-b0cc-13f71ab7bbd4

Answer 34

AWS Inspector can assess the systems against a multitude of standards; once the assessment completes, there are several options to acquire the assessment data depending on the cloud customer's preference, such as: sending the data to AWS CloudWatch, AWS Security Hub, and/or AWS Simple Notification Service (SNS). ## Footnote Book 3 Page 116

Question 35

What machine learning method uses unlabeled data to learn patterns? Unsupervised Non-reinforced Reinforced Supervised ## Footnote 2bbe84b1-f782-41b2-908b-da1bc9abcc2a

Answer 35

Unsupervised learning uses algorithms that do not require human input to provide labels. It looks at all the characteristics of data and can identify patterns. Unsupervised learning is useful in complex tasks, such as grouping or clustering large datasets to identify similarities in data. ## Footnote Book 3 Page 129

Question 36

An analyst would like to create their own machine learning workflow. Which of the following could they use to perform this? Amazon GuardDuty Amazon SageMaker Amazon Macie Amazon Detective ## Footnote 7a04e07d-c51b-48a0-b35f-8c8d154b23d7

Answer 36

Amazon SageMaker lets you create your own machine learning workflows. Amazon SageMaker is an AWS-managed service to help you build, train, and deploy your own machine learning models. While not focused on security itself, it does provide an excellent virtual workbench to help simplify the difficult process of managing a machine learning workload. ## Footnote Book 3 Page 131

Question 37

Which of the following solutions from Microsoft uses machine learning to detect and generate alerts on bad activity? Azure Machine Learning Studios Defender for Cloud Amazon Q Azure Front Door ## Footnote 4618de6b-2e66-45f5-85a8-e9706f91d7bf

Answer 37

Microsoft Defender for Endpoint (and others) uses machine learning models to detect bad activities in the services it monitors. Microsoft Defender for other services also uses anomaly detection and machine learning. ## Footnote Book 3 Page 132

Question 38

What logs provide details about user and resource authentication and changes to cloud-managed resources in cloud? DataBase logs Cloud storage Container orchestration logs Management API logs ## Footnote ec5ea2f3-ea1e-4aea-8f1a-51c5e343bae4

Answer 38

Management API logs detail user and resource authentication, interactions, the cloud's management API, tracking creations, deletions, and changes to cloud-managed resources. ## Footnote Book 3 Page 138

Question 39

What information in CloudTrail logs can be used to tie the authenticated user using long term credentials with an action they performed? AWS user name Caller AWS access key JWT claim ## Footnote 8a304d35-39f1-4d93-ad94-37f34bcb5593

Answer 39

The AWS access key is important when performing an investigation in AWS. For an IAM user using long-term credentials, the AWS access key ID is a long-term credential that will appear in the CloudTrail logs with all accesses. ## Footnote Book 3 Page 142

Question 40

Which of the following artifacts can often be used to pivot between non-API logs? User name IP address Access key Event name ## Footnote 23304226-6b97-4f69-a9cc-a58c36efbfd1

Answer 40

For non-API logs, the IP address may be a pivot point. Most logs initiated by a user/resource have its originating IP address. ## Footnote Book 3 Page 144