Cyber ops chapter 13-17
A disgruntled employee is using some free wireless networking tools to determine information about the enterprise wireless networks. This person is planning on using this information to hack the wireless network. What type of attack is this?
reconnaissance
What type of attack is port scanning?
reconnaissance
Which type of attack involves the unauthorized discovery and mapping of network systems and services?
reconnaissance
Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?
shadowing
Which term is used for bulk advertising emails flooded to as many end users as possible?
spam
What is the purpose of a rootkit
to gain privileged access to a device while concealing itself
what is the main goal of using different evasion techniques by threat actors
to prevent detection by network and host defenses
What is the primary goal of a DoS attack?
to prevent the target server from being able to handle additional requests
What is an objective of a DHCP spoofing attack?
to provide false DNS server addresses to DHCP clients so that visits to a legitimate webserver are directed to a fake server
Which technology is an open source SIEM system?
ELK
Which protocol would be the target of a cushioning attack?
HTTP
In what type of attack are HTTP redirect messages used to send users to malicious websites?
HTTP 302 cushioning
Which field in an IPv6 packet is used by the router to determine if a packet has expired and should be dropped?
Hop Limit
Which attack is being used when threat actors use pings to discover subnets and hosts on a protected network, to generate flood attacks, and to alter host routing tables?
ICMP Attack
What kind of ICMP message can be used by threat actors to map an internal IP network?
ICMP mask reply
What characteristic describes a gray hat hacker?
Individuals who commit cyber crimes but not for personal gain or to cause damage
What characteristic describes script kiddies?
Inexperienced threat actors running existing scripts, tools, and exploits, to cause harm, but typically not for profit
A threat actor constructs IP packets that appear to come from a valid source within the corporate network. What type of attack is this?
Ip address spoofing
Which statement describes the function of the SPAN tool used in a Cisco switch?
It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
What focus describes a characteristic of an indicator of attack (IOA)?
It focuses more on the motivation behind an attack and the means used to compromise vulnerabilities to gain access to assets
Which statement describes cybersecurity?
It is an ongoing effort to protect Internet-connected systems and the data associated with those systems from unauthorized use or harm.
Which statement describes the term attack surface?
It is the total sum of vulnerabilities in a system that is accessible to an attacker
What functionality is provided by Cisco SPAN in a switched network?
It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
Which two functions are provided by NetFlow? (Choose two.)
It provides 24x7 statistics on packets that flow through a Cisco router or multilayer switch. It provides a complete audit trail of basic information about every IP flow forwarded on a device.
what are three functionalities provided by soar
It provides case management tools that allow cybersecurity personnel to research and investigate incidents. It uses artificial intelligence to detect incidents and aid in incident analysis and response. It automates complex incident response procedures and investigations.
What security tool allows a threat actor to hack into a wireless network and detect security vulnerabilities?
KisMac
What is the result of a DHCP starvation attack?
Legitimate clients are unable to lease IP addresses.
What should a cybersecurity analyst look for to detect DNS tunneling?
Longer than average DNS queries
A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on the network. The program sweeps through all of the known ports trying to find closed ports. It causes the server to reply with an ICMP port unreachable message and is similar to a DoS attack. Which two programs could be used by the threat actor to launch the attack? (Choose two.)
Low orbit ion cannon, UDP Unicorn
Threat actors have positioned themselves between a source and destination to monitor, capture, and control communications without the knowledge of network users. What type of attack is this?
MITM
An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?
Man in the Middle
Which attack is being used when threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication?
MiTM Attack
What is a monitoring tool used for capturing traffic statistics?
NetFlow
Which network monitoring tool can provide a complete audit trail of basic information of all IP flows on a Cisco router and forward the data to a device?
NetFlow
Which tool can be used for network and security monitoring, network planning, and traffic analysis?
Netflow
Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?
Network Tap
which tools is used to provide a list of open ports on network devices
Nmap
Hackers have gained access to account information and can now login into a system with the same rights as authorized users. What type of attack is this?
Password based
What type of malware attempts to convince people to divulge their personally identifable information (PII)?
Phishing
What is an essential function of SIEM?
Providing reports and analysis of security events
A threat actor wants to interrupt a normal TCP communication between two hosts by sending a spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed packet?
RST
What type of malware encrypts all data on a drive and demands payment in Bitcoin cryptocurrence to unencrypt the files?
Ransomware
Which capability is provided by the aggregation function in SIEM?
Reducing the volume of event data by consolidating duplicate event records
Which risk management plan involves discontinuing an activity that creates a risk?
Risk Avoidance
Which risk management strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk?
Risk Reduction
Which tool is used in enterprise organizations to provide real time reporting and long-term analysis of security events
SIEM
What allows analysts to request and receive information about the operation of network devices?
SNMP
Which network tool uses artificial intelligence to detect incidents and aid in incident analysis and response?
SOAR
What network monitoring tool can be used to copy packets moving through one port, and send those copies to another port for analysis?
SPAN
A threat actor accesses a list of user email addresses by sending database commands through an insecure login page. What type of attack is this?
SQL injection
Users in a company have complained about network performance. After investigation, the IT staff has determined that an attacker has used a specific technique that affects the TCP three-way handshake. What is the name of this type of network attack?
SYN flood
In which TCP attack is the cybercriminal attempting to overwhelm a target host with half-open TCP connections?
SYN flood attack
Which attack is being used when threat actors gain access to the physical network, and then use an MiTM attack to capture and manipulate a legitimate user's traffic?
Session Hijacking
What type of attack is tailgating?
Social engineering
Which technology is a proprietary SIEM system?
Splunk
Which attack exploits the three-way handshake?
TCP SYN Flood attack
Two hosts have established a TCP connection and are exchanging data. A threat actor sends a TCP segment with the RST bit set to both hosts informing them to immediately stop using the TCP connection. Which attack is this?
TCP reset attack
Which attack is being used when the threat actor spoofs the IP address of one host, predicts the next sequence number, and sends an ACK to the other host?
TCP session hijacking
Which utility provides numerous command-line options for capturing packets?
TCPdump
How do cybercriminals make use of a malicious iFrame?
The Iframe allows the browser to load a web page from another source
In what way are zombies used in security attacks?
They are infected machines that carry out a DDoS attack.
What is a characteristic of a DNS amplification and reflection attack?
Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack
Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?
Time to live
What is the purpose of the Cisco NetFlow IOS technology?
To collect operational data from IP networks
A company has contracted with a network security firm to help identify the vulnerabilities of the corporate network. The firm sends a team to perform penetration tests to the company network. Why would the team use forensic tools?
To detect any evidence of a hack or malware in a computer or network
What is the purpose of a reconnaissance attack on a computer network?
To gather information about the target network and system
A company has contracted with a network security firm to help identify the vulnerabilities of the corporate network. The firm sends a team to perform penetration tests to the company network. Why would the team use applications such as Nmap, SuperScan, and Angry IP Scanner?
To probe network devices, servers, and hosts for open TCP or UDP ports
Which network monitoring capability is provided by using SPAN?
Traffic existing and entering a switch is copied to a network monitoring device
A program sends a flood of UDP packets from a spoofed host to a server on the subnet sweeping through all the known UDP ports looking for closed ports. This will cause the server to reply with an ICMP port unreachable message. Which attack is this?
UDP flood attack
What application captures frames that are saved in a file that contains the frame information, interface information, packet length, and time stamps?
Wireshark
Which network monitoring tool allows an administrator to capture real-time network traffic and analyze the entire contents of packets?
Wireshark
What type of malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.
Worm
when describing malware what is a difference between a virus and a worm
a virus replicates itself by attaching to another file, whereas a worm can replicate itself independently
To which category of security attacks does man-in-the-middle belong?
access
What is the weakest link in network security? Reconnaissance , access, Dos, Social engineering
access
Which action best describes a MAC address spoofing attack?
altering the MAC address of an attacking host to match that of a legitimate host
Which is an example of social engineering?
an unidentified person claiming to be a technician collecting user information from employees
What is the motivation of a white hat attacker?
discovering weaknesses of networks and systems to improve the security level of these systems
In what type of attack does a threat attacker attach to the network and read communications from network users?
eavesdropping
Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?
header checksum
How is optional network layer information carried by IPv6 packets?
inside an extension header attached to the main IPv6 packet header
What is the best description of Trojan horse malware?
it appears to be useful software but hides malicious code
What is the weakest link in network security? Routers, People, TCP/IP, Social Engineering
people
What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?
phishing
What is an example of "hacktivism"?
A group of environmentalists launch a denial of service attack against an oil company that is responsible for a large oil spill.
What is involved in an IP address spoofing attack?
A legitimate network IP address is hijacked by a rogue node.
What is a significant characteristic of virus malware?
A virus is triggered by an event on the host system
What enables a threat actor to impersonate the default gateway and receive all traffic that is sent to hosts that are not on the local LAN segment?
ARP cache poisoing
Which attack being used is when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user?
Address Spoofing Attack
What type of malware typically displays annoying pop-ups to generate revenue for its author?
Adware
Which attack is being used when threat actors initiate a simultaneous, coordinated attack from multiple source machines?
Amplification and Reflection Attacks
Which access attack method involves a software program that attempts to discover a system password by the use of an electronic dictionary?
Brute Force
A threat actor has gained access to encryption keys that will permit them to read confidential information. What type of attack is this?
Compromised key
Which SIEM function is associated with examining the logs and events of multiple systems to reduce the amount of time of detecting and reacting to security events?
Correlation
Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)
Cross-site scripting, SQL injection.
Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a man-in-the-middle attack?
DHCP
In which type of attack is falsified information used to redirect users to malicious Internet sites?
DNS cache poisoning
What type of attack prevents the normal use of a computer or network by valid users?
DOS
In what type of attack can threat actors change the data in packets without the knowledge of the sender or receiver?
Data modification
Which type of network threat is intended to prevent authorized users from accessing resources?
DoS Attacks
