The Answer to Everything in the universe Flashcards by Bryx Garcia

Which element is part of an incident response plan?

organizational approach to incident response

How well did you know this?

Not at all

Perfectly

Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create?

Incident classification and handling
Information classification and protection
Information dissemination
Record retentions and desctruction

How well did you know this?

Not at all

Perfectly

In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?

Free Space Fragmentation

How well did you know this?

Not at all

Perfectly

Which identifies both the source and destination location?

IP Address

How well did you know this?

Not at all

Perfectly

You see confidential data being exfiltrated to an IP address that is attributed to a known
Advanced Persistent Threat group. Assume that this is part of a real attach and not a
network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion

reconnaissance

How well did you know this?

Not at all

Perfectly

Which type of log is this an example of?

Netflow Log

How well did you know this?

Not at all

Perfectly

Which source provides reports of vulnerabilities in software and hardware to a Security
Operations Center

Internal CSIRT

How well did you know this?

Not at all

Perfectly

What is accomplished in the identification phase of incident handling

determining that a security event has occurred

How well did you know this?

Not at all

Perfectly

Which option is a misuse variety per VERIS enumerations

snooping

How well did you know this?

Not at all

Perfectly

Drag and Drop the element name from the left unto the correct piece of the Netflow v5 from a security event on the right

10.232.38.20 - Dest Address
3120 - Dest Port
80 - Source port
208.100.26.233 - Source Add
60 - Number of packets transmitted 
39613-bytes transmitted
TCP - protocol

How well did you know this?

Not at all

Perfectly

Which regular expression matches “color” and “colour”

colou?r

How well did you know this?

Not at all

Perfectly

Refer to the exhibit. Which packet contains a file that is extractable within Wireshark

2317 [TCP Segment]

How well did you know this?

Not at all

Perfectly

During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data

Examination
Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.

How well did you know this?

Not at all

Perfectly

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?

Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

How well did you know this?

Not at all

Perfectly

Refer to the exhibit. Which application protocol is in this PCAP file?

TCP. Just look at the protocol

How well did you know this?

Not at all

Perfectly

Which information must be left out of a final incident report?

server hardware configurations

How well did you know this?

Not at all

Perfectly

What mechanism does the Linux operating system provide to control access to files?

file permissions

How well did you know this?

Not at all

Perfectly

Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?

Ports

How well did you know this?

Not at all

Perfectly

An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?

Trigger

How well did you know this?

Not at all

Perfectly

Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?

Cisco’s Active Threat Analytics (ATA)

How well did you know this?

Not at all

Perfectly

Which process is being utilized when IPS events are removed to improve data integrity

data availability

How well did you know this?

Not at all

Perfectly

Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling

facilitators

How well did you know this?

Not at all

Perfectly

Which of the following can be identified by correlating DNS intelligence and other security
events?

Communication to CnC servers

Malicious domains based on reputation

How well did you know this?

Not at all

Perfectly

Which CVSSv3 metric captures the level of access that is required for a successful attack?

privileges required

How well did you know this?

Not at all

Perfectly

Refer to the exhibit. What can be determined from this ping result

The Cisco.com website is responding with an internal IP

Which of the following is not a metadata feature of the Diamond Model?

Devices

We have performed a malware detection on the Cisco website. Which statement about the result is true

The website has been marked benign on all 68 checks

Which of the following steps in the kill chain would come before the others?

Delivery

Refer to the Exhibit. A customer reports that they cannot access your organization's website. Which option is a possible reason that the customer cannot access the website?

A vulnerability scanner has shown that 10.67.10.5 has been compromised.

Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked

false positive

What information from HTTP logs can be used to find a threat actor?

user-agent

Which option filters a LibPCAP capture that used a host as a gateway?

gateway host

From a security perspective, why is it important to employ a clock synchronization protocol on a network?

A. so that everyone knows the local time

Which option allows a file to be extracted from a TCP stream within Wireshark?

File > Export Objects

Which feature is used to find possible vulnerable services running on a server

listening ports

Which two HTTP header fields relate to intrusion analysis?

Host, Connection

Correct order of Elements of Incident Handling

1. Preparation 2. Detection and Analysis 3. Containment, eradication and recovery 4. Post-incident Analysis

In the context of incident handling phases, which two activities fall under scoping? (Choose two

* determining what and how much data may have been affected | * identifying the attackers that are associated with a security incident

Which of the following is an example of a coordination center?

CERT division of the Software Engineering Institute (SEI)

You see 100 HTTP GET and POST requests for various pages on one of your webservers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this event fall under as defined in the Diamond Model of Intrusion?

installation

Which data type is protected under the PCI compliance framework?

credit card type

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?

direct

Which two options can be used by a threat actor to determine the role of a server? (Choose two.)

running processes | applications

Refer to the exhibit. Which type of log is this an example of

NetFlow log

Which type of analysis allows you to see how likely an exploit could affect your network

probabilistic

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Select all that apply.

Flow record ID | Gateway

Which of the following has been used to evade IDS and IPS devices?

Fragmentation

Which of the following is typically a responsibility of a PSIRT

Disclose vulnerabilities in the organization's products and services

``` Which of the following are the three metrics, or "scores," of the Common Vulnerability Scoring System (CVSS)? (Select all that apply.) ```

Base score Environmental score Temporal score

Which element is included in an incident response plan?

organization mission

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

detection and analysis

Which string matches the regular expression r(ege)+x?

assets of an organization. Which option contains the elements that every event is comprised of according to VERIS incident model'

Which description of a retrospective maKvare detection is true?

You use historical information from one or more sources to identify the affected host or file.

Which of the following is not an example of weaponization

Connecting to a command and control server

Drag and drop the type of evidence from the left onto the correct descnption(s) of that evidence on the right.

log that shows a command and control check-in from verified malware - DIRECT EVIDENCE firewall log showing successful communication and threat intelligence stating an IP is known to host malware-INDIRECT EVIDECE NetFlow-based spike in DNS Traffic-CORROBORATIVE EVIDENCE

A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. Which category best describes this activity

exploitation

Which of the following are core responsibilities of a national CSIRT and CERT

Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?

local

Which two components are included in a 5-tuple?

destination IP address data packet

Which network device creates and sends the initial packet of a session?

. source

Refer to the exhibit. You notice that the email volume history has been abnormally high. Which potential result is true?

Several hosts in your network may be compromised

Which goal of data normalization is true?

Reduce data redundancy.

A user on your network receives an email in their mailbox that contains a malicious attachment. There is no indication that the file was run. Which category as defined in the Diamond Model of Intrusion does this activity fall under?

delivery

Which CVSSv3 metric value increases when attacks consume network bandwidth, processor cycles, or disk space?

availability

Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable component

integrity

Which of the following is one of the main goals of data normalization?

To purge redundant data while maintaining data integrity

Which Security Operations Center's goal is to provide incident handling to a country?

National CSIRT

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)

File Size, Host IP address

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity

Collection

Which option creates a display filter on Wireshark on a host IP address or name?

ip.addr == or ip.host ==

Which data element must be protected with regards to PCI?

recent payment amount

Refer to the following packet capture. Which of the following statements is true about this packet capture? 00:00:04.549138 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq 3152949738, win 29200, options [mss 1460,sackOK,TS val 1193148797 ecr 0,nop,wscale 7], length 0 00:00:05.547084 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq 3152949738, win 29200, options [mss 1460,sackOK,TS val 1193149047 ecr 0,nop,wscale 7], length 0 00:00:07.551078 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq 3152949738, win 29200, options [mss 1460,sackOK,TS val 1193149548 ecr 0,nop,wscale 7], length 0 00:00:11.559081 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq 3152949738, win 29200, options [mss 1460,sackOK,TS val 1193150550 ecr 0,nop,wscale 7], length 0

This is a Telnet transaction that is timing out and the server is not responding.

Which statement about threat actors is true?

They are perpetrators of attacks.

Which of the following is one of the main goals of the CSIRT?

To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents

Which option is generated when a file is run through an algorithm and generates a string specific to the contents of that file?

hash

Which type of analysis assigns values to scenarios to see what the outcome might be in each scenario?

deterministic