CySA+ Final

What are the main types of IoCs that can be identified through analysis of the Registry?

Look for use of persistence mechanisms in the Run, RunOnce, and Services keys, Look for applications changing file associations via the Registry

The Qualys infrastructure vulnerability management engine is only available as a cloud service. True or False?

True

The process for reidentifying tokenized data involves using the token server to look up the original value of the token. True or False?

True

When using a vulnerability scanner in a regulated environment, the regulator might impose requirements on the types of scans and scan frequency to remain compliant. True or False?

True

As part of your threat hunting proposal, you need to identify benefits of the program. You have listed opportunities to close attack vectors, reduce the attack surface, and bundle critical assets within additional layers of security controls. What other benefit or benefits does threat hunting offer?

An added benefit of threat hunting is to provide experience via practice in a less stressful environment for inexperienced analysts. Threat hunting can also identify new sources for logging and improve signature-based detection engines.

What is the function of the -A switch in Nmap?

Enables OS detection, version detection, script scanning, and traceroute

Identify all of the network architecture security solutions for infrastructure management in this list. (select all that apply) Physical ,Software-defined, Hardware-defined, Virtual private cloud, Diskless

Physical, Software-defined, Virtual private cloud

A port that is reported as "closed" by Nmap is likely to be one protected by a firewall. True or false?

False

Luis discovers the following entries in /var/log/auth.log. What is most likely occurring? Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2, Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2, Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2, Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2, Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2, Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2, Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2, Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2, Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2, Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2

A brute-force attack against the "root" account

Your company has experienced a severe security incident caused by an employee uploading a database to a cloud storage service. What type of security solution will help to mitigate against this type of risk in the future?

A cloud access security broker (CASB)

How do you distinguish non-critical from critical systems?

A critical system is a system that the business could not afford to lose.

Damian has discovered that systems throughout his organization have been compromised for over a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?

APT

Despite operating a patch management program, your company has been exposed to several attacks over the last few months. You have drafted a policy to require a lessons-learned incident report be created to review the historical attacks and to make this analysis a requirement following future attacks. How can this type of control be classified?

Administrative/Corrective

When you connect to your organization's network, your PC runs the NAC software the systems administrator installed. The software communicates to the edge switch you are plugged into, which validates your login and system security state. What type of NAC solution are you using?

Agent-based, out-of-band

What type of system isolation described in Lesson 9 ensures that the host is physically disconnected from any network?

Air gap

Michelle runs the following grep command. What text will it match? grep -i example *.txt

All occurrences of the text example in all files in the current directory with a .txt extension

What type of policy might include or supplement a Bring Your Own Device (BYOD) policy?

An acceptable use policy

What is the function of the -sV switch in Nmap?

Attempts to determine the version of the service running on port

A hard disk has been removed from a computer so that it can be subjected to forensic evidence collection. IN ORDER, which steps should you take to complete this process?

Attach the disk to a forensic workstation using a write blocker, Make a cryptographic hash of the disk contents, Make an image of the disk contents, Make a cryptographic hash of the image and verify it

You are asked to configure an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?

Behavior

The Snort IPS that Adam has configured includes a rule that reads: alert tcp $EXTERNAL_NET any -> 10.0.10.0/24 80 (msg:"Alert!"; content:"http|3a|//www.example.com/download.php"; nocase; offset:12; classtype: web-application-activity;sid:5555555; rev:1;) What type of detection method is Adam using?

Behavioral-based

What type of evidence can NOT be retrieved from system memory analysis?

Build a complete list of system files

What is a CPE in the context of vulnerability scanning?

Common Platform Enumeration (CPE) is a standardized way of referring to OS and application software and hardware appliances, maintained by NIST.

What methods can you use to validate the results of a vulnerability scan? (select all that apply)

Compare to compliance or configuration baselines, Review logs and other data sources, Repeat the scan (possibly using a different scanner)

What does a CVSS score of 9.1 represent?

Critical Vulnerability

You want to prevent email impersonation of individuals inside your company. What technology can help prevent this?

DMARC

Which two factors affecting severity level classification have been omitted from the following list? Downtime, detection time, data integrity, economic, system process criticality, reverse engineering.

Data correlation, Recovery time

Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process?

Data enrichment

Which two main classes of attack would you suspect if you observe a bandwidth consumption IoC from a client workstation on the local network to a host on the Internet?

Data exfiltration attack, Bot infection

In the context of Technical Data and Privacy Controls, what is EDM?

Exact Data Match is a database of strings of actual private data converted to fingerprints through a hash process

Review the CTI produced by the Financial Services ISAC at fsisac.com/whatwe-do/intelligence.What additional types of information are provided?

FS-ISAC provides tactical, operational, and strategic threat intelligence with actionable information. They also help communicate with C-suite or Board-level stake holders, which would be a big plus for many CSO's.

While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root, Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3, Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2, Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth], Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth] Which of the following has NOT occurred?

Fail2ban has blocked the SSH login attempts.

Most pen tests should be defined with an open-ended scope to maximize the chance of detecting vulnerabilities. True or false?

False

Public information does not have any required security attributes. True or False?

False

Static code analysis can only be performed manually by other programmers and testers in a process of code review. True or False?

False

The dedicated nature of an RTOS makes it less susceptible to software-based exploits to perform remote code execution. True or False?

False

What part of the NIST Cybersecurity Framework is used to provide a statement of current cybersecurity outcomes?

Framework Profile

Which three types main types of dynamic analysis are available for software testing?

Fussing, Stress testing, Interactive debugging

Which class of data criticality factor does not belong in the following list? PII, PHI, SPI, IP, financial and corporate information.

HIPAA

What two types of space on a disk are analyzed by file-carving tools?

Slack space, Unallocated space

Review the open-source feeds available at misp-project.org/feeds. What type of threat intelligence do these provide?

IP addresses for blacklisting

IN ORDER, what are the four phases that outline the procedures involved in a forensics investigation?

Identification, Collection, Analysis, Reporting

Select all software vulnerability classes referenced in Lesson 11. (select 3) use of secure functions Improper error handling secure components Insecure object reference Broken authentication

Improper error handling, Insecure object reference, Broken authentication

What type of cloud model provisions unconfigured VM instances with support for the selection of multiple different operating systems?

Infrastructure as a Service (IaaS)

Which of the following is NOT considered a network-related potential indicator of compromise? Common protocol over non-standard port, Bandwidth consumption, Irregular peer-to-peer communication, Scan/sweep, Unusual traffic spike, Internet access on port 443,Rogue device on the network

Internet access on port 443

Where does SAML fit into SOA?

It is often used for exchange of authentication, authorization, and accounting information

What is the definition of a Course of Action (CoA) matrix?

It maps the controls available for each type of function to adversary tools and tactics

What will a search using the following command do? grep -n -i -v mike *

List all the lines where the word Mike does not show up, regardless of case, in all files in the current directory

Isaac wants to identify known good behavior patterns for all of the applications that his organization uses. If he doesn't want to have a staff member review logs and behaviors for every application in every scenario it is run, what type of analytical tool would best be suited to dealing with this volume and type of data?

Machine learning

Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?

Machine learning

Your firewall log shows that the following packet was dropped - what service was the sender trying to access? IN=eth0 OUT=MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=172.16.0.192 DST=192.168.0.22 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4018 DF PROTO=TCP SPT=2584 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

Microsoft Remote Procedure Call (RPC)

You are asked to write a Snort rule that reads: Alert tcp any -> 10.10.11.0/24 3306 What type of traffic will it detect?

MySQL traffic

What is the role of the blue team during a pen test?

Operate the security system to detect and repel the intrusion.

Which of the following IS NOT an example of secure coding best practices? Authentication, Input validation, Output encoding, Output validation

Output validation

Which cloud infrastructure assessment tool is best suited for use in penetration testing?

Pacu

What type of vulnerability scanning is being performed if the scanner sniffs traffic passing over the local segment?

Passive scanning

Identify two types of horizontal brute force attacks.

Password spraying, Credential stuffing

Which of the following capabilities is not a typical part of a SIEM system?

Performance Management

Zhi wants to capture network flows from her network as shown in the following image. Where should she collect network flows to balance maximum visibility without collecting unnecessary information?

Point B

You are devising a password policy that is compliant with NIST 800-63b guidelines. Which factors for employee password creation are most important to enforce through system rules? (choose 2)

Prevent the use of dictionary words and repetitive strings, Set a minimum length of at least eight characters

Which of the items from the following list is not typically found in an email header? Sender IP address, Date, Private key ,Receiver IP address?

Private key

What does PHI mean?

Protected Health Information

What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation?

Remote execution of code

Which type of framework allows greater local factors to have more influence over security control selection?

Risk-based

Eric wants to send an email using a digital signature to ensure that the recipient can prove that the email was sent by him and that the content has not changed. What technology is frequently used for this?

S/MIME

What type of security information is primarily used to detect unauthorized privilege IoCs?

Security events in an audit log

How is the simplest, most common scan scope configured?

Specifying a target IP address or IP address range

IN ORDER, what steps would you take to investigate irregular peer-to-peer communication?

Start an incident response ticket and log all actions taken, Identify the IP addresses involved, Raise the logging and packet capture level to monitor the communications, Identify the traffic, Close the channel to prevent further release of information

What are your strategic, operational, and tactical requirements for threat intelligence?

Strategic requirements are related to overall themes and objectives that affect projects and business priorities. This is the information that should be shared with executives in less technical terms in order for them to make high-level decisions. This would include any large security trends and events related to the new cloud-based infrastructure, so that timely decisions can be made that keep the company in front of the quickly changing technology. Operational intelligence relates to the everyday priorities of managers and specialists. In this case, it would be necessary to understand who might be interested in compromising the system and how they might infiltrate the new cloud-based system in order to decide which steps to take in the near future. Tactical requirements relate to the actions that should taken by staff in response to specific alerts or status indicators. This type of intelligence is highly technical and would be gathered from system logs and automated feeds.

To preserve evidence of a temporary file system mounted to a host, which system device must you target for evidence collection?

System memory (RAM)

A bespoke application used by your company has been the target of malware. The developers have created signatures for the application's binaries, and these have been added to endpoint detection and response (EDR) scanning software running on each workstation. If a scan shows that a binary image no longer matches its signature, an administrative alert is generated. What type of security control is this?

Technical/Detective

Review the platform provided by a commercial solution, such as fireeye.com/solutions/cyber-threat-intelligence.html, noting the market review provided by Forrester (fireeye.com/content/dam/fireeye-www/products/pdfs/pf/intel/rpt-forrester-threat-intel-services.pdf). What are some of the differentiators from an open-source feed?

The commercial solutions offer many services besides just threat feeds including multi-lingual personal support and analysts, helpful interfaces, dark web scanning, all with cyber-criminal, financial, and nation-state focus. Many commercial solutions also include the information from open source feeds.

Kathleen wants to ensure that her team of security analysts sees important information about the security status of her organization whenever they log in to the SIEM. What part of a SIEM is designed to provide at-a-glance status information?

The dashboard

Following a serious data breach affecting a supplier company, your CEO wants assurance that your company is not exposed to the same risk. The supplier is willing to share threat data gathered about the breach with you. You advise a threat hunting program as the most appropriate tool to use. What should be the first step in this process?

The first step in the threat hunting process should be to form a hypothesis.

While reviewing email headers, you notice an entry that reads: From: "John Smith, CIO" [email protected] with a "Received: parameter" that shows "mail.demo.com [10.74.19.11]". Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com?

The headers were forged to make it appear to have come from John Smith.

As a relatively small company, with no dedicated SOC, what is the main risk from deploying a threat intelligence feed?

The main risk of a small company deploying a threat intelligence feed is that it could provide information that isn't actionable, trigger false positives, or a false sense of security. They might not know what to do with the data.

Your organization is planning to transition from using local clients to provisioning desktop instances via cloud-based infrastructure. Your CISO has asked you to outline a threat-modeling project to support selection and development of security controls to mitigate risks with this new service. What five methodologies should your outline contain?

The outline should contain Adversary Capability, Total Attack Surface, Attack Vector, Impact, and Likelihood.

While reviewing systems you are responsible for, you discover that a user has recently run the following command in a Windows console window. What has occurred? psexec \\10.0.11.1 -u Administrator -p examplepw cmd.exe

The user has opened an interactive command prompt as administrator on a remote workstation.

Review the open-source feeds available at misp-project.org/feeds. What type of threat intelligence do these provide?

They provide threat intelligence for blacklisting IP addresses

How is integrated intelligence most commonly used in a firewall system?

Threat intelligence is used to provide IP information for rules.

Your company is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed-up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?

To uphold the CIA triad, a control addressing confidentiality such as access control lists, password and data encryption, or two-factor authentication should be added.

Your border firewall uses a default allow policy, but you want to block outgoing requests for UPnP. Which port do you need to create a deny rule for?

UDP port 1900

What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and then uses statistical models to detect unusual behavior and notify administrators?

UEBA

Identify the main principles of effective API key management. (choose 3) Use least privileges policies for each account/key, Change passwords every 90 days, Only apply patches in months with a "Y", Delete unused keys and regenerate live keys periodically, Do not embed keys in source code

Use least privileges policies for each account/key, Delete unused keys and regenerate live keys periodically, Do not embed keys in source code

What is "packet injection"

Using software to write packets directly to the network stream, often to spoof or disrupt legitimate traffic.

In the context of digital forensics, what is VMI?

Virtual Machine Introspection

What is horizontal privilege escalation?

When a user obtains access to resources at the same level of privilege but from a different domain

You want to determine if a message you received was forwarded by analyzing the headers of the message. How can you determine this?

You cannot determine if a message was forwarded by analyzing the headers.

You have been requested to block traffic sent to a suspected malicious host. What iptables rule entry can you use to block traffic to a host with IP address 10.24.31.11?

iptables -A OUTPUT -d 10.24.31.11 -j DROP