Unit 5 - Practice Quiz

The main purpose of incident response is to manage the aftermath of a security breach or attack effectively, with the goal of limiting damage, reducing recovery time and costs, and preventing future incidents.

The Containment phase focuses on isolating the affected systems to prevent the security incident from causing further damage to other parts of the network or organization.

The chain of custody is a chronological documentation of the seizure, control, transfer, analysis, and disposition of evidence. It is crucial for proving in a legal setting that the evidence has not been tampered with.

Log files from operating systems, applications, and network devices (like firewalls and routers) record events and activities, providing essential data for identifying and investigating security incidents.

A SIEM (Security Information and Event Management) system is a tool that collects, aggregates, and analyzes log data from various sources to provide real-time analysis of security alerts.

An IoC is a forensic artifact or piece of data, such as a strange file, a malicious IP address, or an unusual traffic pattern, that points to a potential intrusion or compromise.

Ransomware is a type of malicious software that encrypts a victim's files and demands a ransom payment in exchange for the decryption key.

A Denial of Service (DoS) attack aims to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of internet traffic.

This specific syntax is a classic example of an SQL Injection attack, where an attacker attempts to manipulate the application's database queries to bypass security or extract data.

The Preparation phase is the first step. It involves creating policies, procedures, and acquiring the necessary tools and training before any incident occurs to ensure the team is ready to respond.

An IDS is a monitoring system that detects suspicious activities or policy violations and generates alerts. It does not actively block the traffic, which is the role of an Intrusion Prevention System (IPS).

Imaging, or creating a forensic image, is the process of making an exact copy of a storage device. This is done to preserve the original evidence in its exact state while analysis is performed on the copy.

Firewall logs are records of the traffic that attempts to pass through the firewall, detailing source/destination IPs, ports, and whether the connection was permitted or blocked based on security rules.

Adware is designed to display advertisements on your computer, while spyware may secretly monitor your activity and install unwanted toolbars. Both are common causes of these symptoms.

An unauthorized device could be used to intercept network traffic, access internal resources, or introduce malware. It represents a breach of both physical security (unauthorized access) and network security.

Security monitoring involves the ongoing collection and analysis of data to detect and respond to security threats in real-time or near-real-time, helping to identify incidents early.

This final phase is crucial for improving future incident response efforts. It involves documenting the incident, understanding what went well and what didn't, and updating plans and procedures accordingly.

This is a network-based IoC because it relates to network communication patterns. The other options are host-based IoCs, as they relate to activities on a specific computer or system.

NetFlow is a network protocol that collects IP traffic information. It provides high-level metadata about traffic flows, such as source/destination IPs, ports, and volume of data, without capturing the full content of the packets.

A brute-force attack is a trial-and-error method used to obtain information such as a user password. A high volume of failed logins is a classic sign that an automated tool is attempting to guess the correct password.

The immediate priority in the containment phase is to stop the bleeding. Disconnecting the server from the network (segmentation) is a short-term containment strategy that immediately halts the unauthorized data transfer. Wiping and restoring is part of eradication and recovery, which comes after containment. Full forensic analysis happens concurrently but doesn't stop the immediate threat. Notification is a post-incident activity.

The Order of Volatility dictates collecting evidence from most volatile to least volatile. CPU registers and cache are the most volatile form of data, as they are constantly changing and will be lost upon power-off. Network state is next, followed by running processes, then data on disk, and finally archived data.

This rule specifically looks for a pattern characteristic of a successful brute-force attack: numerous failures followed by a success in a short time frame. The other options are either too broad (foreign IP), too noisy (single failed admin login), or unrelated to a brute-force attack (network traffic volume).

Full Packet Capture (PCAP) records the entire content of every packet, which is necessary to analyze the payload and headers to diagnose issues like broadcast storms. NetFlow provides high-level traffic metadata (source, destination, port, bytes) but not the packet contents. Firewall and syslog data would not provide the necessary Layer 2 detail to identify the source of a broadcast storm.

A rootkit is a type of malware designed to hide its presence and the presence of other malware. It often achieves this by modifying core system utilities and functions (e.g., patching the kernel or replacing binaries like ls, ps, netstat) to lie to the user and administrator.

This describes a classic SYN flood, a type of Denial-of-Service (DoS) attack. The attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic by leaving many connections in a 'half-open' state.

The string %20OR%201=1 (URL encoded for ' OR 1=1') is a classic tautology used in SQL Injection attacks. The attacker is attempting to modify the backend SQL query to always evaluate to true, potentially bypassing authentication or retrieving all records from a database table.

IoCs are static, forensic artifacts that indicate a compromise has occurred (e.g., a malicious file hash, a C2 domain name). IoAs focus on the attacker's behavior and intentions, representing a sequence of actions that suggest an attack is in progress (e.g., PowerShell executing a command to download a file from the internet).

Hashing creates a unique digital fingerprint of the data. By hashing the source drive before imaging and then hashing the created image file, an investigator can prove their integrity. If the hashes match, it demonstrates that the copy is an exact, unaltered replica of the original, which is crucial for maintaining the chain of custody and admissibility in court.

The 'Lessons Learned' phase is a critical, blame-free review intended to improve future responses. The primary goal is to analyze what went well and what didn't, in order to strengthen security posture, refine procedures, and update the IR plan, thereby making the organization more resilient to future attacks.

EDR tools are designed to monitor endpoint and network events and record them in a central database for analysis. They excel at identifying anomalous behavior, such as unusual process creation chains (Word -> PowerShell), which are often indicative of fileless malware or advanced attacks that traditional antivirus might miss.

This sequence demonstrates multiple stages of a typical cyber attack, often modeled by a framework like the Cyber Kill Chain. It starts with initial delivery (phishing), moves to exploitation/installation (PowerShell download), and then to command and control (C2 communication). Analyzing events as part of a chain provides more context than viewing them in isolation.

ARP poisoning (or ARP spoofing) is an attack where a malicious actor sends falsified ARP messages over a local area network. This results in linking an attacker's MAC address with the IP address of a legitimate computer or server on the network, such as the default gateway. This allows the attacker to intercept, modify, or stop traffic.

The indicator that an unauthorized internal server is answering DNS queries points to a localized attack. The malware may have modified the hosts file on each machine, changed their DNS settings, or compromised the internal DNS server itself to redirect traffic. This is a common tactic for credential harvesting and malware delivery.

The ../ sequence is used in file systems to move up to a parent directory. Attackers use strings like ../../../../etc/passwd in an attempt to traverse outside of the web root directory and access sensitive system files. This is a classic Directory Traversal (or Path Traversal) attack.

To detect credential stuffing, an analyst needs to see both failed and successful login attempts across many systems and applications. Centralizing authentication logs (like Windows Security Event Logs, Linux's auth.log, VPN logs, etc.) into a SIEM allows for correlation and detection of a high volume of failed logins across many accounts from a single source IP.

An incident is typically defined as an event that poses a significant threat to business operations, data confidentiality, integrity, or availability. Unauthorized access to sensitive data meets this high-impact threshold. Port scans and single IDS alerts are common events that need investigation but are not automatically full incidents. A single user issue is likely a helpdesk ticket.

The Chain of Custody is a formal record that shows who collected the evidence, who handled it, when it was transferred, and where it was stored. This documentation is crucial to prove that the evidence has not been tampered with or altered from the time it was collected to the time it is presented in court, thereby ensuring its legal integrity.

While SIEMs excel at log aggregation, correlation, and alerting, SOAR platforms are designed to take the next step. They integrate with other security tools (like firewalls, EDR, etc.) to automate response workflows (playbooks), such as automatically isolating an endpoint or blocking a malicious IP, thereby reducing manual effort and response time.

A CSIRT (or CIRT) is a specialized group responsible for the centralized management and coordination of incident response. Their duties include preparation (planning, tools), detection and analysis (monitoring), and containment, eradication, and recovery. They are the expert first responders for security events.

This is the hardest choice because it involves synthesis of technical risk and business communication. While immediate eradication (A) is technically sound, it ignores business context. Delaying (B) accepts undue risk. Partial isolation (C) is a weak containment strategy for an APT on a DC. The best approach (D) is to translate the technical risk into business terms (financial loss), allowing leadership to make an informed, risk-based decision. This demonstrates a mature incident response capability that integrates with the business.

The FILE_NAME attribute timestamps are less commonly known and harder to change, often requiring kernel-level access or specialized forensic tools. A significant discrepancy where the STANDARD_INFORMATION timestamp is a classic indicator of timestomping, an anti-forensics technique used by attackers to hide their activity.

NetFlow (A) only provides metadata (IPs, ports, volume) and would not see the content of the queries. Firewall logs (B) similarly lack the necessary detail. Web proxy logs (C) are irrelevant if the malware is using standard DNS (UDP/53) and not DNS over HTTPS. The only way to detect this specific technique is by inspecting the actual subdomains being queried, which requires a data source like Zeek's dns.log or a full packet capture that records the full query content, not just the destination.

The key indicators are the incorrect parent process and the suspicious network activity. Legitimate svchost.exe instances are children of services.exe. An orphaned or incorrectly parented svchost.exe is a major red flag. When combined with networking libraries (wininet.dll) being loaded and active C2 connections, it strongly points to an attacker injecting their malicious code into a trusted system process to evade detection. This is a hallmark of process injection or hollowing.

While the activity generates artifacts (D), the core indicator is the behavior itself. The use of PowerShell with specific obfuscation and execution policy bypass flags (-NoP, -Exec Bypass, -EncodedCommand) is a well-known adversarial Technique, Tactic, and Procedure (TTP). Blocking a specific hash of the script would be easy for the attacker to change. Blocking the IP it connects to would be slightly harder. Detecting or blocking the behavioral pattern of using PowerShell in this manner (the TTP) causes the most 'pain' for the adversary, forcing them to fundamentally change their methods.

This scenario describes a vulnerability that causes a denial of service due to how the backend processes a malicious query. Elasticsearch, and many other systems, can be vulnerable to inefficient query patterns, particularly with leading wildcards or complex regular expressions. An attacker who understands this can craft a simple-looking query that causes a 'catastrophic backtracking' scenario in the search engine, consuming all available CPU resources. This is a form of algorithmic complexity attack, often categorized under ReDoS, and it's an application-layer DoS, not a network-layer one.

Unsolicited ICMP Echo Replies are highly anomalous. Legitimate replies must be preceded by a request. Attackers can abuse the ICMP protocol for covert communication because it is often allowed through firewalls for diagnostic purposes. By crafting raw sockets, malware can generate Echo Reply packets and embed stolen data within the payload. The lack of corresponding requests is the key indicator that this is not legitimate ping traffic but a covert channel for data exfiltration.

This question addresses the 'Pyramid of Pain' in an automation context. The file hash is a trivial indicator for an attacker to change, especially with polymorphic malware. The network indicator (C2 domain or IP address) is more costly for the attacker to change and provides a much more durable and effective indicator for blocking and further investigation. Automating the extraction and blocking of network IOCs is a significant improvement over chasing unique hashes.

A kernel-level rootkit operates at the highest privilege level and can intercept system calls to hide its presence. This means it can modify the output of tools like ls, chkrootkit, and ps (A, B) and can hide its own modules from listings like /proc/modules (D). These are unreliable because they trust the compromised kernel to report on itself. The most reliable method is to perform memory forensics (C). By analyzing a raw memory dump, the investigator can examine critical kernel structures like the System Call Table from an external, trusted environment. Any hooks or redirects pointing to unauthorized memory locations are definitive proof of a kernel-level compromise.

This question tests a nuanced understanding of IR phases. Containment is about stopping the attack from spreading right now. It's a tactical, immediate set of actions. Eradication is the strategic, deeper process of ensuring the adversary is completely removed from the environment. For human-operated ransomware, simple file deletion is not enough; the attackers have backdoors, compromised credentials, and persistence mechanisms. Eradication, therefore, isn't just about deleting the ransomware; it's about removing the human operator's entire foothold, which often necessitates rebuilding systems from a known-good state.

This requires synthesizing multiple data points for high fidelity. Option A is too generic; many legitimate services use RPC. Option B is also too generic; network logons are common. Option C is not specific enough. Option D provides the most robust evidence. It correlates the cause on the source machine (WMI process execution, captured by a tool like Sysmon) with the effect on the destination machine (a network logon from the source), creating a specific and reliable indicator of remote WMI-based execution, a common lateral movement technique.

The original behavior (specific error messages) represents a classic user enumeration vulnerability. The sudden switch to a generic error message suggests a security fix has been deployed. The fact that this change occurred during a spike in failed logins indicates that the security team likely detected the enumeration attack in progress and deployed a patch to remediate the vulnerability. The attacker's activity revealed the flaw, which was then fixed, changing the indicator.

The mshtml,RunHTMLApplication function is a specific way to execute HTML Applications (HTAs) using the legitimate Windows binary rundll32.exe. HTAs are files that can contain JScript or VBScript and run with the full permissions of the user, outside the browser sandbox. This technique is often used by malware droppers to execute a more robust second stage (the HTA file) in a 'fileless' manner (from the perspective of traditional AV that scans executables on disk), making it a powerful method for bypassing application whitelisting.

This requires synthesizing host and network indicators. Accessing lsass.exe is a common way to dump credentials or tickets from memory. The key piece is the network indicator: a Kerberos TGS-REQ (Ticket Granting Service Request) that specifically uses the weaker RC4-HMAC encryption. This is the hallmark of Kerberoasting. In this attack, an adversary requests a service ticket for a user account that has a Service Principal Name (SPN). Part of the ticket is encrypted with the service account's NTLM password hash. The attacker takes this ticket offline and uses brute-force cracking to recover the account's plaintext password.

Increasing the threshold (A) or decreasing the time window (D) makes it easier for a slow brute-force attack to go undetected. Whitelisting (B) a large group of users is risky as their accounts could be the source of a real attack. The most intelligent tuning method is to add context (C). A user legitimately mistyping their password will have both failed and successful logins from the same source. A credential stuffing or password spraying attack often involves failures from a botnet, followed by a successful login from the attacker's own machine. Correlating the login activity with contextual information like geolocation or ASN adds high-fidelity logic that filters out normal user behavior while still catching the more dangerous attack pattern.

This describes a classic 'Evil Twin' attack. The deauthentication flood is not just a DoS; it's a tool to achieve a larger goal. By forcibly disconnecting legitimate users from the real access point, the attacker creates a frustrating situation where users will try to reconnect. Their devices will then see the attacker's rogue AP with the same name and may connect to it automatically or be tricked into connecting manually. Once connected to the evil twin, the attacker is in a man-in-the-middle position to intercept traffic, capture credentials, and launch further attacks.

This scenario creates a classic and difficult dilemma. The need to preserve evidence for legal and forensic purposes requires leaving the systems in their current state as much as possible for imaging and analysis. However, the active threat of the logic bomb requires immediate action (containment/eradication) to prevent the total loss of data and systems, which would destroy the very evidence that needs to be preserved. The IR team must make a critical decision on how to proceed, likely involving a rapid, forensically-sound acquisition of evidence before the logic bomb can detonate.

Reflective DLL injection is a technique where malware loads itself into the memory of another process without being written to disk first. Therefore, it will not appear in a traditional dlllist (C) because it wasn't loaded by the Windows loader. While pslist (A) and netscan (B) can provide supporting evidence, they don't prove the injection technique itself. The malfind plugin is specifically designed to find this type of activity. It scans memory for characteristics of injected code, such as pages with execute, read, and write permissions (RWX), and code that doesn't map back to a legitimate file on disk, which is the definition of reflectively loaded code.

This is a textbook example of a Mass Assignment vulnerability. The application code is likely designed to automatically bind incoming HTTP parameters to variables or object properties. The developer did not anticipate that an attacker could add an extra parameter (isAdmin) to the request that corresponds to a sensitive, internal property of the user object model. By not using a whitelist of allowed parameters, the application blindly 'mass assigned' the malicious parameter, leading to a privilege escalation. It is not IDOR, CSRF, or SSRF.

ntdsutil.exe is a legitimate Active Directory management tool. The ifm (Install From Media) subcommand is used to create a copy of the AD database (ntds.dit) for creating new domain controllers. However, attackers abuse this functionality to create an offline copy of the entire AD database. Once they have the ntds.dit file, they can take it to their own machine and use tools like Mimikatz to extract all the NTLM password hashes for all users in the domain. This is a primary technique for the Credential Access tactic in the MITRE ATT&CK framework.