Match the intrusion event defined in the Diamond Model of intrusion to the description.
According to NIST, which step in the digital forensics process involves drawing conclusions from data?
- Collection
- Examination
- Analysis
- Reporting
Analysis
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to block a potential back door creation? (Choose two.)
- Audit endpoints to discover abnormal file creations.
- Establish an incident response playbook.
- Consolidate the number of Internet points of presence.
- Conduct damage assessment.
- Use HIPS to alert or place a block on common installation paths.
Audit endpoints to discover abnormal file creations.
Use HIPS to alert or place a block on common installation paths.
A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model?
- action on objectives
- exploitation
- reconnaissance
- weaponization
reconnaissance
In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring?
- incident notification
- attacker identification
- scoping
- detection
Scoping: Provide information on the containment of the incident and deeper analysis of the effects of the incident.
What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?
- to allow the threat actor to issue commands to the software that is installed on the target
- to steal network bandwidth from the network where the target is located
- to send user data stored on the target to the threat actor
- to launch a buffer overflow attack
to allow the threat actor to issue commands to the software that is installed on the target
What two shared sources of information are included within the MITRE ATT&CK framework? (Choose two.)
- collection of digital evidence from most volatile evidence to least volatile
- attacker tactics, techniques, and procedures
- details about the handling of evidence including times, places, and personnel involved
- eyewitness evidence from someone who directly observed criminal behavior
- mapping the steps in an attack to a matrix of generalized tactics
attacker tactics, techniques, and procedures
mapping the steps in an attack to a matrix of generalized tactics
Which meta-feature element in the Diamond Model describes information gained by the adversary?
- methodology
- resources
- results
- direction
resources
According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
- human resources
- legal department
- management
- IT support
“Ultimately, management is held responsible for coordinating incident response among various stakeholders…”
What is the purpose for data reduction as it relates to NSM?
- to make the alert data transmission fast
- to remove recurring data streams
- to enhance the secure transmission of alert data
- to diminish the quantity of NSM data to be handled
to decrease/diminish/reduce the quantity of NSM data to be handled
To reduce data, it is essential to identify the network data that should be gathered and stored to reduce the burden on systems.
Which term is used to describe the process of converting log entries into a common format?
- classification
- systemization
- normalization
- standardization
normalization is the process of combining data from a number of sources into a common format.
How is the hash value of files useful in network security investigations?
- It is used to decode files.
- It helps identify malware signatures.
- It verifies confidentiality of files.
- It is used as a key for encryption.
the hash value can be submitted to an online site to determine if the file is a known malware.
What is the purpose for data normalization?
- to simplify searching for correlated events
- to reduce the amount of alert data
- to enhance the secure transmission of alert data
- to make the alert data transmission fast
Data normalization is also required to simplify searching for correlated events.
How does an application program interact with the operating system?
- sending files
- accessing BIOS or UEFI
- making API calls
- using processes
making API calls
Which tool is a Security Onion integrated host-based intrusion detection system?
- Snort
- OSSEC
- ELK
- Sguil
OSSEC
A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?
- false negative
- true negative
- true positive
- false positive
Alerts can be classified as follows:
- True Positive: The alert has been verified to be an actual security incident.
- False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
- An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
- True Negative: No security incident has occurred. The activity is benign.
* False Negative: An undetected incident has occurred.
After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?
- It can track the behavior of the malware from the identification point forward.
- It can identify how the malware originally entered the network.
- It can calculate the probability of a future incident.
- It can determine which network host was first affected.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
What are security event logs commonly based on when sourced by traditional firewalls?
- static filtering
- application analysis
- signatures
- 5-tuples
Alerts will generally include five-tuples information, as well as timestamps and information identifying which device or system generated the alert.
- SrcIP - the source IP address for the event.
- SPort - the source (local) Layer 4 port for the event.
- DstIP - the destination IP for the event.
- DPort - the destination Layer 4 port for the event.
- Pr - the IP protocol number for the event.
Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate?
- the id of the user that triggers the alert
- the message length in bits
- the Snort rule that is triggered
- the session number of the message
The Snort rule that is triggered
A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?
- Bro
- Sguil
- CapME
- ELK
Sguil - serves as a starting point in the investigation of security alerts.
What information is contained in the options section of a Snort rule?
- direction of traffic flow
- text describing the event
- action to be taken
- source and destination address
It contains the text message that identifies the alert (describes the event). It also contains metadata about the alert, such as a URL.
Which classification indicates that an alert is verified as an actual security incident?
false negative
true positive
false positive
true negative
What is the purpose for data normalization?
- to simplify searching for correlated events
- to reduce the amount of alert data
- to enhance the secure transmission of alert data
- to make the alert data transmission fast
normalization is also required to simplify searching for correlated events
Which tool included in the Security Onion includes the capability of designing custom dashboards?
- Sguil
- Kibana
- Squert
- OSSEC
Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data.
-
Module 1 - The Danger25
-
Module 2 - Fighters In The War Against Cybercrime13
-
Module 3 - The Windows Operating System21
-
Module 4 - Linux Overview17
-
Modules 5-10: Networking Fundamentals53
-
Module 11 - Network Communication Devices24
-
Module 12 - Network Security Infrastructure23
-
Modules 13-17: Threats and Attacks90
-
Module 16 - Attacking the Foundation13
-
Module 17: Attacking What We Do12
-
Module 18: Understanding Defense12
-
Module 19: Access Control11
-
CyberOps Associate Final Exam1
-
CyberOps Associate (200-201) Certification Practice Exam1
-
Modules 18-2029
-
Modules 24-2526
-
Modules 26-2826
-
Final Exam97
