Ch 1 - 3
D. TAXII TAXII, the Trusted Automated Exchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.
Cyn wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose? A. STIX 1.0 B. OpenIOC C. STIX 2.0 D. TAXII
C. Active UDP connections UDP connections are not shown by netstat because UDP is a connectionless protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.
During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system? A. Active TCP connections B. A list of executables by connection C. Active UDP connections D. Route table information
C. IOCs Forensic data is very helpful when defining indicators of compromise (IOCs). Behavioral threat assessments can also be partially defined by forensic data, but the key here is where the data is most frequently used.
Forensic data is most often used for what type of threat assessment data? A. STIX B. Behavioral C. IOCs D. TAXII
B. ATT&CK The ATT&CK framework specifically defines threat actor tactics in standardized ways. The Diamond Model is useful for guiding thought processes about threats, and the Cyber Kill Chain is most useful for assessing threats based on a set of defined stages. The Universal Threat Model was made up for this question!
Gabby wants to select a threat framework for her organization, and identifying threat actor tactics in a standardized way is an important part of her selection process. Which threat model would be her best choice? A. The Diamond Model B. ATT&CK C. The Cyber Kill Chain D. The Universal Threat Model
A. Supplicant Any device that wishes to join an 802.1x network must be running an 802.1x supplicant that can communicate with the authenticator before joining the network.
Juan is configuring a new device that will join his organization's wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network? A. Supplicant B. Authenticator C. Authentication server D. Command and control
B. WAF (Web Application Firewall) Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.
Kevin would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should he choose? A. NGFW B. WAF C. Packet filter D. Stateful inspection
A. Mandiant The threat indicators built into OpenIOC are based on Mandiant's indicator list. You can extend and include additional indicators of compromise beyond the 500 built-in definitions.
OpenIOC uses a base set of indicators of compromise originally created and provided by which security company? A. Mandiant B. McAfee C. CrowdStrike D. Cisco
A. Review of security breaches or compromises your organization has faced Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you're likely to face so that you can determine which ones you should target.
Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage? A. Review of security breaches or compromises your organization has faced B. Review of current vulnerability scans C. Review of current data handling standards D. A review of threat intelligence feeds for new threats
B. 23 (Telnet) Port 23, used by the Telnet protocol, is unencrypted and insecure. Connections should not be permitted to the jump box on unencrypted ports. The services running on ports 22 (SSH), 443 (HTTPS), and 3389 (RDP) all use encryption.
Wayne is configuring a jump box server that system administrators will connect to from their laptops. Which one of the following ports should definitely not be open on the jump box? A. 22 B. 23 C. 443 D. 3389
C. It includes actions outside the defended network. The Kill Chain includes actions outside the defended network which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware-based techniques, as well as a lack of focus on insider threats.
What common criticism is leveled at the Cyber Kill Chain? A. Not all threats are aimed at a kill. B. It is too detailed. C. It includes actions outside the defended network. D. It focuses too much on insider threats.
D. ISACs The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.
What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals? A. DHS B. SANS C. CERTS D. ISACs
C. Installation The installation phase of the Cyber Kill Chain focuses on providing persistent backdoor access for attackers. Delivery occurs when the tool is put into action either directly or indirectly, whereas exploitation occurs when a vulnerability is exploited. Command and control (C2) uses two-way communications to provide continued remote control.
What phase of the Cyber Kill Chain includes creation of persistent backdoor access for attackers? A. Delivery B. Exploitation C. Installation D. C2
D. OS detection Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses? A. Service identification B. Fuzzing C. Application scanning D. OS detection
D. Zone transfer The axfr flag indicates a zone transfer in both the dig and host utilities.
What technique is being used in this command? dig axfr @dns-server example.com A. DNS query B. nslookup C. dig scan D. Zone transfer
C. Confidence level The confidence level of your threat information is how certain you are of the information. A high confidence threat assessment will typically be confirmed either by multiple independent and reliable sources or via direct verification.
What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed? A. Threat quality level B. STIX level C. Confidence level D. Assurance level
C. Whois Whois provides information that can include the organization's physical address, registrar, contact information, and other details. Nslookup will provide IP address or hostname information, whereas host provides IPv4 and IPv6 addresses as well as email service information. Traceroute attempts to identify the path to a remote host as well as the systems along the route.
Which lookup tool provides information about a domain's registrar and physical location? A. nslookup B. host C. Whois D. traceroute
B. Registering manually Registering manually won't prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.
Which of the following is not a common DNS antiharvesting technique? A. Blacklisting systems or networks B. Registering manually C. Rate limiting D. CAPTCHAs
B. Detail While higher levels of detail can be useful, it isn't a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.
Which of the following measures is not commonly used to assess threat intelligence? A. Timeliness B. Detail C. Accuracy D. Relevance
D. Penetration tests Penetration tests are an example of an operational security control. Encryption software, network firewalls, and antivirus software are all examples of technical security controls.
Which one of the following is an example of an operational security control? A. Encryption software B. Network firewall C. Antivirus software D. Penetration tests
D. Sandboxing Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications.
Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures? A. MAC B. Hashing C. Decompiling D. Sandboxing
B. Security logs Microsoft Windows security logs can contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.
Which type of Windows log is most likely to contain information about a file being deleted? A. httpd logs B. Security logs C. System logs D. Configuration logs
