Cyber Offensive and Defensive Network Operations
The common default community strings for SNMP are: A. read and write B. public and private C. root and toor D. manager and agent
A C andD is wrong. B is right
Which piece of equipment is an example of passive defense? A. Telephone B. Router C. Datawall D. Firewall
A and B is wrong D is correct
All of the following are techniques to prevent an adversary from accessing an account with elevated privileges EXCEPT: A. Apply best practices to password policies B. Implement Access Control Lists (ACLs) C. Separation of Duties and Least Privilege D. Monitor for configuration changes to system files
A and C. wrong
Scanning or "hunting" for internal threats can be categorized as which type of defense? A. Hybrid B. Active C. Passive D. Complex
A and D is wrong. B is right
Which command enumerates users on a remote Linux machine? A. dig B. nmap C. finger D. bash
A and Dis wrong. C is correct
Which is a security-focused function of a router? A. Connecting two LANs together B. To determine which network hops data should be sent to C. Segment networks within an enclave D. Identify hosts and networks with IP addresses
A is wrong
HBSS, a software that is installed on an individual computer, is an example of what kind of intrusion detection system? A. Network Intrusion Detection System B. Cyber Intrusion Detection System C. Software Intrusion Detection System D. Host Intrusion Detection System
A is wrong... D. Host Intrusion Detection System
Which is a type of indicator NOT provided by logging? A. Atomic B. Behavioral C. Computed D. Restricted
A, B and C is wrong. D is correct
File signature analysis can help accomplish all of the following EXCEPT: A. find files obfuscated with changed extensions B. carve files out of unallocated space C. identify malware based on specific strings D. narrow searches for specific file types
A, B and D. is Wrong. C is correct
What are defensive actions that leave the DOD Information Network? A. DCO-RA B. DCO-IDM C. DCO-OCO D. DODIN Ops
A. DCO-RA
ll of the following are aspects of incident prevention preparation EXCEPT: A. Identity Awareness - Knowing and understanding the relevant sections of your organization B. Malware Prevention - Host, server, & client levels C. Training and Awareness - policies, procedures, risk prevention D. Host Based Security - "least privilege" hardening
A. Identity Awareness - Knowing and understanding the relevant sections of your organization
Which phrase best describes defense-in-depth? A. The application of security measures in a layered fashion B. The arrangement of firewalls and network equipment to form a chain or pathway for information to flow securely C. A personnel and equipment policy that provides redundancy D. A DoD cyber budgetary policy that teams with private industry to provide the latest in defense technology
A. The application of security measures in a layered fashion
A firewall provide ingress and egress filtering for the segment where it is placed on a network. A. True B. False
A. True
An IDS can be placed inside or outside the network. A. True B. False
A. True
Intrusion Detection Systems (IDS) are deployed to deny traffic that meets specific requirements. A. True B. False
A. True
Social engineering attacks attempt to convince a person to unwittingly take some action which will help an attacker. A. True B. False
A. True
Social media sites provide valuable information that can be used in social engineering attacks. A. True B. False
A. True
A civilian power plant was submitted as the target for an offensive cyber operation that would degrade and heavily disrupt it's ability to produce power. Is this power plant a legal target? A. Yes, provided it is a military necessity and the effects on civilians will not be disproportionate B. No, power plants, hospitals, and civilian telecommunications hubs are not acceptable targets under the UN Resolution 161-C accord C. Yes, provided there are not hospitals that are direct recipients of its electricity and the damage is proportional. D. No, under the principle of distinction, civilians may never be directly targeted
A. Yes, provided it is a military necessity and the effects on civilians will not be disproportionate
One benefit of end point network traffic analysis is that it can help identify: A. communication channels which are out of the ordinary B. malware installed on victim systems C. subversion of administrative privileges D. usernames and passwords used for malware command and control
A. communication channels which are out of the ordinary
A write-block device: A. prevents malware from executing on the forensic workstation B. restricts write-access to only authorized personnel C. increases processing time by syncing read cycles D. prevents modifications of the data on digital media!
A. prevents malware from executing on the forensic workstation
Which of the following is a common enumeration technique? A. Banner grabbing B. Ping Sweep C. Meterpreter shell D. Encrypting payloads
B and C is wrong
What is an execute order (EXORD) used for? A. It is generated in the final stage of the target vetting CTO process B. An authority granted to states by the Federal government in times of crisis for Cyber action C. The only authority that can allow a non-competitive contract to be awarded D. Authorization for offensive operations!
B and D. is wrong
Which information can NOT be found in the Windows Registry? A. Startup services B. internet Explorer history C. Apache passwords D. Previously connected drives
B and D. is wrong
Which technique can help prevent an adversary's ability to conduct reconnaissance? A. Change default error codes produced by public facing applications B. Apply best practices to password policies C. Incorporate Data Loss Prevention tools and techniques D. Run periodic and recurring vulnerability and port scans
B and d wrong. A is right
What is a proxy used for? A. Restricting user access to specific locations B. Acting as a mediator between a sender and receiver C. Downloading a target web site D. Configuring firewall changes on the fly
B. Acting as a mediator between a sender and receiver
Which of the following would be considered a direct exploit? A. Empty password for an administrator B. Buffer overflow C. Spear-phishing email D. Google hacking
B. Buffer overflow
Which technique can help reduce the effectiveness of an adversary's scan of a network? A. Minimize public exposure of internal processes B. Close unrequired ports, protocols, and services C. Apply best practices to password policies D. Monitoring for configuration changes to system files
B. Close unrequired ports, protocols, and services
What type of information can be discovered by analyzing network traffic? A. Active Directory security policies B. Connections to malicious servers or hosts C. Files that have been sent to the Network Recycle Bin D. Motivations of the adversary or attacker
B. Connections to malicious servers or hosts
What is the key to successful log analysis? A. Identifying suspicious Event ID numbers B. Correlating times and events C. Removing events before and after the incident D. Reducing the size of the log files
B. Correlating times and events
What is the reason an attacker would run a "ping sweep"? A. Identify range of open ports on a firewall. B. Discover which hosts are "live". C. Determine vulnerabilities on Linux systems. D. Reduce bandwidth for a DDoS attack.
B. Discover which hosts are "live".
What is currently the number one vector for government cyber attacks? A. Remote Injection B. E-mail C. Web download D. Malicious advertisement
B. E-mail
Enumeration does NOT involve connecting to a target in some way. A. True B. False
B. False
When analyzing an incident, different data sets will always corroborate each others' data. A. True B. False
B. False
Why is deconfliction critical in cyberspace operations? A. By law, a system can only be targeted by one agency in any country at a given time. B. Other organizations, agencies, or countries may also be looking at the same target. C. The Law of War dictates all cyber targets must be disclosed to the UN Security Council. D. All cyberspace operations must be conducted jointly, especially when it's cross-border.
B. Other organizations, agencies, or countries may also be looking at the same target.
What is a hash value? A. A specific string or pattern in a file that allow antivirus and IDSs to detect it. B. The resulting character string after data is processed through a one-way algorithm. C. A baseline pattern which is used to identify variations in files of the same type or with the same metadata. D. Passphrases used to access restricted data when encrypted with the MD5 or SHA1 algorithms
B. The resulting character string after data is processed through a one-way algorithm.
Why are nation state threats potentially the most dangerous? A. Nation states wield coercive power over its citizens, giving them unchallenged power in the cognitive domain of cyber C. Because nation states are in the public domain, the art of deception will be more prominent while other cyber actors will operate in the shadows D. Nation states have strong ideologies that drive them making them more relentless
B. They have access to large amounts of money and personnel giving them resources that other cyber actors may not have
What are the two primary overarching goals of a cyberspace attack? A. deny and manipulate B. seek and destroy C. offensive and defensive D. reconnaissance and entrenchment
B. seek and destroy is wrong
Which of the following is NOT a common method to analyzing logs? A. By directory B. By time C. By activity D. By frequency
C D is wrong. A is correct
Which of the following is not a team designated by USCYBERCOM? A. National Mission Teams (NMTs) B. Cyber Protection Teams (CPTs) C. Combat Mission Teams (CMTs) D. Cyber Hacking Teams (CHTs)
C is wrong
What is the difference between capturing traffic on a SPAN/mirror port and inline capture? A. A SPAN/mirror port only collects management traffic and an inline capture collects traffic destined for the router. B. A SPAN/mirror port collects broadcast or multicast traffic and an inline capture collects all traffic that it sees C. A SPAN/mirror port collects consolidated traffic from one port on the device and an inline capture sits between two devices and collects all traffic D. A SPAN/mirror port is used to collect traffic from the honeynet segment of a network and an inline capture collects traffic that is destined for the legitimate network
C. A SPAN/mirror port collects consolidated traffic from one port on the device and an inline capture sits between two devices and collects all traffic
If a threat has extensive financial resources, has the capability and patience to exploit for long term gains, is adept at circumventing physical and procedural safeguards, and devotes a full time, multidisciplinary staff to exploiting the system, the thr A. Focused Criminal Organization (FCO) B. Combat Mission Team (CMT) C. Advance Persistent Threat (APT) D. Organized Cyber Crime (OCC)
C. Advance Persistent Threat (APT)
The components of incident management are: A. Observe, Plan, Approve, Act B. Gather, Analyze, Synthesize, Summarize C. Detect, Respond, Recover, Report D. Prevent, Detect, Intercept, Lessons-Learned
C. Detect, Respond, Recover, Report
System misconfigurations would include all of the following EXCEPT: A. Weak password policies for administrators B. Absent or blank firewall rules C. Installed instant messaging software D. Unmanaged access permissions to file shares
C. Installed instant messaging software
Which of the following is NOT a function of nmap? A. Service detection B. Port scanning C. Password cracking D. Ping Sweep
C. Password cracking
All of the following are benefits of the Defense-in-Depth approach EXCEPT: A. If one security device is breached, another is waiting B. May close the hole or mitigate the vulnerability of another device C. Requires administrators to know various OS's and applications D. Balances capabilities and cost across people, tech, and operations
C. Requires administrators to know various OS's and applications
Which of the following is a characteristic of national government cyber attackers? A. Goal is to spread terror and an agenda B. Focuses on monetary theft and making a profit C. Well-funded with disciplined actors D. Generally not highly skilled or technical
C. Well-funded with disciplined actors
hich of the following is a characteristic of national government cyber attackers? A. Goal is to spread terror and an agenda B. Focuses on monetary theft and making a profit C. Well-funded with disciplined actors D. Generally not highly skilled or technical
C. Well-funded with disciplined actors
A DNS zone transfer can provide an attacker useful information on: A. connections made to the internal web server. B. perimeter and application firewall configuration and rules. C. organizational naming conventions and IP space. D. administrative access terminals and open SSH ports.
C. organizational naming conventions and IP space.
Which of the following is a good source of cyber threat information? A. US-CERT alerts B. Threat Reports from companies in the industry C. News articles on cyber attacks D. All of the above E. None of the above
D All the above
Intrusion Prevention Systems (IPS) have the ability to do all of the following EXCEPT: A. Increase throughput and network speed B. Modify configurations on the fly C. Reset or block TCP connections D. Fragment and reassemble traffic for analysis
D and B is wrong
Which of the following is NOT typically found in Operating System logs? A. NIDS alerts B. Application events C. Command history D. Audit events
D and C. is wrong. A is correct
Which type of personnel must follow national cyber operations regulations: A. Military Commanders B. Attorneys C. Mission Planners D. All of the Above E. None of the above
D. All of the Above
An incident management policy should cover which topics? A. Scope B. Roles and Responsibilities C. Policy Compliance D. All of the above E. None of the above
D. All of the above
The cyberspace domain overlaps with which other domain(s)? A. Sea B. Land C. Air D. All of the above E. None of the above
D. All of the above
Which security mechanism can social engineering help bypass? A. Intrusion Detection Systems B. Firewalls C. Doman Security Policies D. All of the above E. None of the above
D. All of the above
All of the following are defensive network operation best practices EXCEPT: A. Keeping software up to date is a good maintenance policy for keeping a healthy and secure system B. Performing vulnerability scans regularly assists to monitor system and network health C. Ensuring a "least privilege" policy and enacting good password requirements help to protect users and accounts D. Keep copious notes of all meetings and shift changes to ensure changes can be tracked
D. Keep copious notes of all meetings and shift changes to ensure changes can be tracked
All of the following information can be collected by using NetBIOS null sessions EXCEPT: A. List of share B. List of users and groups C. List of machines D. List of open files
D. List of open files
Which statement concerning incident management team structure is TRUE? A. A 24/7 operations team is usually the most cost effective solution B. No matter the size of the organization, no one should have a full time role on the incident response staff C. Fully outsourcing incident response is the right choice in most cases Which statement concerning incident management team structure is TRUE? A. A 24/7 operations team is usually the most cost effective solution B. No matter the size of the organization, no one should have a full time role on the incident response staff C. Fully outsourcing incident response is the right choice in most cases D. Outsourced staff may have difficulty physically getting to the incident or having network access
D. Outsourced staff may have difficulty physically getting to the incident or having network access
Which of the following is NOT information that should influence defensive tactics? A. Importance of assets B. Trends in the cyber landscape C. Knowledge of threat actors D. Political motivations
D. Political motivations
All of the following are potential drawbacks of using a firewall EXCEPT: A. Can be a choke point for bandwidth B. Only as good as it's configured and monitored C. Protects only the segment it's deployed on D. Stops unauthorized traffic from reaching the network
D. Stops unauthorized traffic from reaching the network
All of the following are true about Wireshark EXCEPT: A. Can be installed on most operating systems B. Used for analyzing and filtering network traffic C. Can breakdown packets into each layers' data D. Used to crack encrypted network traffic
D. Used to crack encrypted network traffic
Which is a security-focused function of a router? A. Connecting two LANs together B. To determine which network hops data should be sent to C. Segment networks within an enclave D. Identify hosts and networks with IP addresses
D. is wrong
Which technique can help prevent an adversary's ability to conduct reconnaissance? A. Change default error codes produced by public facing applications B. Apply best practices to password policies C. Incorporate Data Loss Prevention tools and techniques D. Run periodic and recurring vulnerability and port scans
a is wrong
Which piece of information is not likely to be discovered using web crawling tools? A. Informational comments and sensitive data B. Local path information C. Server names and IP addresses D. User cookies and session tokens
b wrong. D is correct
