Cysa DION 4

Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? Network traffic analysis Endpoint forensics Endpoint behavior analysis Network forensics

APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.

Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities? Acquired and augmented Developed Advanced Integrated Explanation

According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and saw the output:--=-=-=-=-=-=-=-=-=-> echo 127.0.0.1 diontraining.com >> /etc/hosts-=-=-=-=-=-= Which of the following best describes what actions were performed by this line of code? Routed traffic destined for the diontraining.com domain to the localhost Routed traffic destined for the localhost to the diontraining.com domain Added the website to system's whitelist in the hosts file Attempted to overwrite the host file and deleted all data except this entry

Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com is being written to the /etc/hosts file.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? Maximum retention period Minimum retention period Classification of information Description of information that needs to be retained

Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing an email address affiliated with diontraining.com Returns all web pages hosted at diontraining.com Returns all web pages containing the text diontraining.com Returns no useful results for an attacker

Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign.

In a scenario where an organization has implemented a strict change management policy, how might this policy influence the process of remediating identified vulnerabilities? By guaranteeing seamless coordination between different departments By creating bureaucratic delays in implementing necessary patches and updates By ensuring automatic remediation of vulnerabilities By reducing the operational costs of the IT department

If governance policies require multiple approvals for actions, they could slow down the process of remediating vulnerabilities. Governance policies do not ensure automatic remediation; they guide an organization's approach to handling vulnerabilities. While effective governance can improve interdepartmental coordination, it does not inherently expedite vulnerability remediation.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A VM escape exploit could allow an attacker to gain access to the SIEM The company will be dependent on the cloud provider's backup capabilities The company will have less control over the SIEM Legal and regulatory issues may prevent data migration to the cloud

If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? FISMA HIPPA COPPA SOX Explanation

The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

You have just run the following commands on your Linux workstation: DionTraining:~ root# ls Names.txt DionTraining:~ root# more Names.txt DION DIOn Dion dion DionTraining:~ root# grep -i DION Names.txt Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY) Dion DION Dion dion DIOn

The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations.

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? The same vulnerability will be compromised on their servers The attacker will conduct a SQL injection against their database The attacker will conduct a man-in-the-middle attack They may now be vulnerable to a credential stuffing attack

The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn't mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.

You suspect that a system's firmware has been compromised. Which type of firmware would provide resistance against such an attack? UEFI Standard Firmware BIOS Trusted Firmware

Trusted Firmware is designed to be resistant to attacks, providing a secure foundation for system boot and operating system load. BIOS (Basic Input/Output System) is a type of firmware used during the booting process, but it's not designed to be resistant to attacks like Trusted Firmware. While UEFI (Unified Extensible Firmware Interface) is a specification for a software interface between an operating system and platform firmware, it does not inherently provide resistance against attacks. Standard Firmware may not include the security features found in Trusted Firmware.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? Use of a host-based IDS or IPS Installation of anti-virus tools User and entity behavior analytics Implement endpoint protection platforms

User and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? Disassemble the files and conduct static analysis on them using IDA Pro Run the Strings tool against each file to identify common malware identifiers Scan the files using a local anti-virus/anti-malware engine Submit the files to an open-source intelligence provider like VirusTotal

VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited Lack of input validation could lead to a cross-site scripting attack Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution Lack of input validation could allow for a SQL attack

When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types)

You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company's network. Which of the following tools would be most effective for capturing and analyzing network packets in real-time to investigate this issue? Ping tcpdump Nmap Wireshark

cpdump is primarily used for capturing and analyzing network packets in real-time, which would be effective for investigating unusual network traffic. While Wireshark is also a network protocol analyzer, it provides a GUI and more detailed analysis features than tcpdump. However, for quick, real-time traffic analysis, tcpdump is more lightweight and often preferred. Nmap is primarily used for network discovery and security auditing. It can identify what hosts are available on the network, what services those hosts are offering, what operating systems they are running, and what type of packet filters/firewalls are in use. It doesn't focus on real-time packet analysis. Ping is a basic network tool used to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets. It doesn't provide real-time traffic analysis.

Which of the following would be used to prevent a firmware downgrade? eFUSE TPM SED HSM

eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number