4.0 Operations and Incident Response
The cat command
A Linux command for viewing files. Here, the command will display the contents of the file hostnames
traceroute
A command that performs route discovery from a Linux host using UDP probes rather than ICMP
-Active KillDisk software -Paper shredder
A company is going through excess equipment and recyclables. Management will repurpose all the computer workstations and discard archived printed documents. Which of the following can help achieve the company's goals? (Select all that apply.)
-Policies and procedures -Personnel and resources
A company is in the preparation phase of implementing an incident response plan. All technical security controls are in place. Currently, the company needs to establish guidelines for handling an incident. Evaluate and select the appropriate guideline items. (Select all that apply.)
server-side injection attacks
A company that produces and sells financial software uses a Structured Query Language (SQL) database for its marketing data, employee data as well as financial data. The IT team reports irregularities in relational queries, reporting data being accessed haphazardly and randomly. The team leader reviews the application, network and DNS logs and suggests an intruder has been examining the database, and likely used UNION attacks and modified queries to retrieve extra data and data from other tables. Deduce what kind of attack(s) the investigation is likely to discover
Evidence has been tampered with
A computer system at a local company was breached. Since the incident, internal IT support has removed a USB flash drive found plugged into the machine. Security experts now question the validity of the chain of custody. Which statement justifies the analysis of the situation?
-To ensure non-repudiation -To ensure no evidence is missed -To establish provenance of the evidence
A cyber forensic investigator is acquiring evidence for a case. The investigator is recording the entire acquisition process on video, as well as recording timestamps for each action and collecting evidence in order of most to least volatile. Describe the purpose of these extra steps. (Select all that apply.)
-Details of servers carrying the message -Results of spam checking -Sender address
A cybersecurity analyst is using a header analyzer to examine the headers of classified emails retained according to the organization's email retention policy. What types of information might the analyst find in email headers? (Select all that apply.)
-Copy disk with dd command -Create snapshots of all volumes -Save disk image with FTK Imager
A cybersecurity forensics investigation team has possession of a hard disk thought to contain evidence, as well as a possible virus. To avoid interfering with evidence and to safely investigate within a sandbox, the team resolves to acquire a disk image. Outline possible tools or methods the team can use to accomplish this task. (Select all that apply.)
-Initiate sleep mode and analyze the hibernation file -Reboot and analyze memory dump files
A cybersecurity forensics investigation team is investigating a compromised Windows system. The team has determined that being the only Windows machine on the network, the vulnerability may be at the OS level. The team proceeds to acquire OS-level information from Windows. Determine appropriate methods the team can use to accomplish this task. (Select all that apply.)
Metasploit
A cybersecurity framework that offers information on security flaws and assists in penetration testing and creation of IDS signatures
route
A cybersecurity investigator is investigating a breach, and the method of entry is not yet known. The investigator decides to begin by checking for suspicious entries in the routing table. Select the command-line tool that will enable the investigator to directly access the table
-Use Wireshark to capture DNS traffic between clients and the DNS resolver and save it to a .pcap file -Use OSSEC to collect DNS server logs and search for known malicious domains -Use OSSEC to compose rules to report NXDOMAIN responses or other activity
A cybersecurity specialist working for an Internet Service Provider (ISP) noticed some unusual indicators of malicious activity and suspects that there may be a remote-access trojan or botnets present in the network. The specialist will begin looking at some Domain Name System (DNS) servers. Prescribe next steps that will assist in the investigation. (Select all that apply.)
dnsenum
A cybersecurity student has been using dig and whois to query hosting records and check external DNS services when a fellow student recommends a tool that packages similar functions and tests into a single query. Conclude what tool the student recommended
Volatility
A forensics analyst is attempting a live acquisition of the contents of the memory of a running Linux device. In order to copy the blocked /dev/mem file with memdump or dd, the analyst must install a kernel driver. Recommend a framework that will enable the analyst to install a kernel driver
-Use the DoD 5220.22-M method -Degauss media with a magnet
A government agency is getting rid of older workstations. The agency will donate these workstations, along with other excess computer systems, to nearby schools. Management reminds the systems administrators about the data sanitization and disposal policy. What policy items are applicable for these IT systems, prior to donating to the schools? (Select all that apply.)
Decision maker
A group of security professionals from several non-competing organizations address local security incidents by forming a Unified Cyber Incident Response Team (CIRT). The goal of the program is to share insights and knowledge and assist in mitigating threats. Considering the team's desire for diversity among the team's membership, determine which user type they should include.
Meterpreter
A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?
Cuckoo
A malware expert wants to examine a new worm that is infecting Windows devices. Verify the sandbox tool that will enable the expert to contain the worm and study it in its active state
Degaussing
A method of erasing data on a hard drive with a powerful magnet
Bottom of the rules list
A mortgage company's firewall access control list blocks all traffic from bogon networks and a specific private address range but allows any HTTP, HTTPS, or SMTP traffic from any other source. Implicit denial occurs when traffic does not match any rule. At which point in the processing of an access control list is an implicit denial likely found?
-t
A network admin troubleshoots a virtual host that currently restarted. The admin wants to know when the virtual host is reachable through the network. Which ping switch would provide the most useful information?
Revoke the host's certificate
A network administrator for a large oil company has discovered that a host on the company network has been compromised by an attacker spoofing digital certificates. Recommend an immediate response that does not require generating new certificates
-It can eavesdrop on network communication -It can scan a network for open ports
A network administrator's computer desktop is full of network security tools that are useful for patching and hardening the network. However, after an audit, the admin recently discovered a Wireshark application, which alarmed management. What is it about Wireshark that makes management apprehensive about having it on company computers? (Select all that apply.)
-dd -memedump -WinHex
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS. (Select all that apply.)
-WinHex -FTK Imager
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of only Windows machines. Assess the tools that the analyst could employ in this process for capturing system memory of machines in this network. (Select all that apply.)
Test access point (TAP)
A network tech is installing an intrusion detection system (IDS) on a corporate network. The system is intended to be a long-term monitoring solution and would ideally split or copy network signals on the physical layer, to avoid frame loss. Anticipate the type of sensor the tech will install in conjunction with the IDS
Sn1per
A new cybersecurity analyst is working at his first job. The analyst requires a penetration test reporting and evidence gathering framework that can run automated tests through integration with Metasploit. Recommend a framework that will fulfill the analyst's needs
Run ipconfig /all on a client computer
A new site includes a Windows domain controller, a DHCP (dynamic host configuration protocol) server, a Linux file server, and a Windows web server. An independent auditing team arrived to assess basic security guidelines and company policies. Today, the auditing team will perform the following tasks: (1) dynamically assign addresses on client Windows computers, and (2) verify the installation of antivirus software. Which of these actions will provide any of the information needed for today's assessment?
-nmap xxx.xxx.x.x -O -nmap xxx.xxx.x.x -A
A penetration tester is experimenting with Nmap on a test network. The tester would like to know the operating system of the target device. Select all Nmap commands that will provide the tester with OS information. (Select all that apply.)
The scanless tool
A port scanner that runs its scans through third-party websites to evade detection. It does not check hosting records or DNS services
-Query strings to identify incident types -When to report compliance incidents -Incident categories and definitions
A resident cybersecurity expert is putting together a playbook. Evaluate the elements that the security expert should include in the playbook. (Select all that apply.)
Allow list
A secure military intelligence site has a local network, and each machine is Linux-only and secured in every way possible. Despite causing increased support time and higher costs, the network's execution control policy ensures that malicious software, not yet identified as such, cannot run on machines at the site. Determine the type of code execution policy that would have this effect
Tabletop
A security consulting firm will be working with the staff of a local business to perform a disaster recovery exercise. After discussing options for performing the exercise, the firm decides to apply a specific approach to best meet the organization's needs by "ghosting" the same procedures as they would occur in an actual disaster. Apply knowledge of the scenario to conclude which exercise method the firm uses
Gather employee login credentials
A security event popped up, alerting security of a suspicious user gaining access to, and copying files from, the %SystemRoot%\NTDS\ file path on a server. What is the user trying to do?
Identification
A security incident has occurred at a business that has exposed the personal data of numerous customers. In accordance with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, at which stage in the incident response lifecycle should the company notify their stakeholders?
Order of volatility
A system has been compromised at a local business. In response, a help desk technician began recovery by powering the system down. As a result, what has been compromised?
-tstark -tcpdump
A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operates on wireless network connections and laptops. Which of the following tools will help audit the server's security settings with the least amount of effort? (Select all that apply.)
Scanless
A white-hat penetration tester is simulating an attack to check for vulnerabilities. The first step is to determine if the pen tester can scan for ports or services that have been left open, without being detected by the Intrusion Prevention System (IPS). Recommend a tool that fits the pen tester's requirements
Timestamps are in coordinated universal time
After a recent incident, investigators are performing forensics on a Windows server. While using various tools to examine damaged data, they discover the timestamps on an NT file system (NTFS) volume do not seem correct and are a few hours different from local time. What determination should the experts conclude as the reason for the timestamp discrepancy?
Netstat
An administrator wants to quickly assess the open ports of a Windows server. Which command will provide the admin with the right information?
Check network logs
An attacker has defaced a simple and up-to-date WordPress website running on a fully-patched Ubuntu Server that a web developer administers. The forensics team has taken the computer down after the developer reached out for assistance. The forensics team has isolated the server to preserve the current status of the device and its records. They blocked remote access to the attacker, preventing interaction with all other devices on the network. In continuing the investigation, what is the most appropriate next step to determine how or where the attack was initiated?
Legal hold
An incident has recently occurred at a medium-sized business. The business suspects an employee of leaking information online. As a result of the investigation, authorities have secured the employee's computer as evidence. Identify the term that describes this type of action
NXlog
An open-source centralized log collection tool. It has similar features of a SIEM like alerting, normalization, aggregation, correlation, and retention. Multi-platform compatible
Wireshark
An open-source packet capture utility that can capture network packets in the form of .pcap files. It does not check hosting records or DNS services
Eradication
An organization found crypto-malware in their computer systems. A systems admin identified the cause of the infection to be an employee's USB flash drive. The admin is now restoring the systems from a backup, testing them, and bringing them back online. Considering incident response procedures, how can finding the cause be categorized?
Timeline
Analyze the following terms and consider computer forensic investigation best practices. Which best fits the criteria of preservation of evidence?
tracert
Command that uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network on Windows
After-action report
Continuity of Operations (COOP) and Disaster Recovery Planning (DRP) are processes that need to be reflected upon routinely. This allows organizations to review and improve processes. Apply knowledge of how processes are implemented to conclude the best time to execute improvement
filename= "sample.txt" pattern = "test" def search_file(name_of_file, grep_pattern) file = open(filename, "r") for line in file: if re.search(pattern, line): print(line) search_file(filename, pattern)
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function that uses grep to search a file in Python. Validate the analyst's choice
Select-String -Path C:\temp\sample.txt -Pattern "Test"
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function to search a keyword in a file using PowerShell on Windows. Validate the analyst's choice
tail /var/log/hostnames -n 15
Identify the command that will output the 15 most recent entries in the log file called hostnames
curl
Identify the command-line tool that performs data transfers over a network
-Non-volatile -Volatile
Image acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence. Which types of storage should be carefully imaged in an investigation? (Select all that apply.)
Reduce or increase number of rules
Improperly tuned system sensitivity of Security Information and Event Management (SIEM) dashboards can result in both false negatives and false positives. Describe how a security specialist might adjust the sensitivity of the dashboard's automated alerts
-Check all computers for installed anti-virus software -Perform passive reconnaissance activities
It is time to audit the network's security. Which of the following will help with the process of scanning for vulnerabilities? (Select all that apply.)
-Create a hash before and after analysis and compare the checksums -Use a write blocker during analysis to prevent data from being changed
Law enforcement has acquired a disk as evidence and copied the disk for analysis. Suggest a way to maximize the integrity of the analysis process to ensure non-repudiation is possible. (Select all that apply.)
-SIEM -NXlog
Point out the ideal tools for collecting system, network, and security logs. These tools also aggregate and normalize log data, raise alerts based on correlation rule matches, and provide advanced tools for threat analytics, as well as complete history retention. (Select all that apply.)
Roles and responsibilities
Security experts are performing disaster recovery exercises with employees at a software development company. Which key element should the security experts focus on as a goal of these activities?
-Blackhole -Sandboxing -Physical disconnection/air gapping
Select the methods of containment based on the concept of isolation. (Select all that apply.)
-Honeynet -Sinkhole
Select the methods of containment based on the concept of segmentation. (Select all that apply.)
-An unauthorized user accesses a server -The investigation of a recent incident is ongoing -A worm has infected a device on the network
Select the scenarios where containment measures, such as isolation and segmentation techniques, should be taken. (Select all that apply.)
SIEM (Security Information and Event Management)
Software collects and collates security and log data from across a network in real-time, and organizes it for efficient threat analysis, with the ability to link events and related data into alertable reports
-NXlog -SIEM
The admin of a large corporate network is updating the log management systems for the network. The company only installed a basic central collection of system, network, web, and security logs. The administrator needs a solution that provides advanced tools for threat analytics, and also provides complete history retention and aggregates and normalizes the log data it collects. The administrator also wants a tool that raises alerts based on correlation rule matches, which simplifies the threat analysis process. Recommend potential solutions for the admin. (Select all that apply.)
Video
The computer system was breached at a large business, and the suspect is a high-level executive. Several employees have been called as witnesses, and investigators are evaluating a questioning approach. Considering how evidence may be collected and documented, which method is more reliable but may make witnesses less willing to provide a statement?
-tcpreplay -Wireshark -tcpdump
The resident IT administrator at a small community bank has hired an outside consultant to assist in investigating a suspected network intrusion. The administrator asks the consultant what tools or methods can determine if anything suspicious is happening on the network. Predict which tools would be components of a viable response from the contractor. (Select all that apply.)
pathping
Tool for Windows that provides statistics for latency and packet loss along a route over a longer measuring period. The equivalent on Linux is mtr
Disk images include bootloader and OS
What is the main difference between a snapshot and a disk image?
The DoD 5220.22-M wipe method
What method involves a three-phased pass of writing 1s, 0s, and random characters onto a hard drive? This method will prevent the use of many software-based file recovery methods
Check application logs
When a network security technician is running automated scans, the vulnerability scanner alerts the technician about a process running on a Windows system. The program that generates this process is volatile, causing lock-up and crash of processes and services of connected applications, according to the scanner. The scanner has not generated any other alerts. Recommend an initial route of investigation the technician should take
-Record the process on video -Collect evidence according to the order of volatility -Provide time stamps of the acquisition process
When submitting digital evidence, it is important to prove the provenance of the evidence. If the evidence is in doubt, then it may become inadmissible in a court of law, or it may become impossible to reach non-repudiation. Recommend strategies for establishing the provenance of the evidence during the acquisition process. (Select all that apply.)
The logger command
Which command writes input to the local system log or to a remote syslog server?