Fiszki: Security+ 601 Part 4 | Quizlet

tracert/traceroute

A command used to determine a route of what a packet takes to a destination, take advantage if ICMP Time to Live Exceeded error messages (hop)

nslookup/dig

A command that is used to lookup information from DNS servers (IP addresses, canonical names, timers, etc.)

ipconfig/ifconfig

-used to display TCP/IP information
-also MAC addresses
-Subnet masks
-Host name

nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner, a free open source utility.

ping/pathping

Uses ICMP to test connectivity issues and if communication between different systems is possible.

hping

An enhanced Ping utility for crafting TCP, IP, ICMP, and UDP packets to be used in port-scanning activities. A packet

netstat

A TCP/IP utility that shows the status of each active connection by monitoring network connections to and from systems, useful when viewing all listening ports on a computer

netcat

A network utility program that reads from and writes to network connections, can listen, create a backdoor

IP scanners

Able to scan networks for all IPs on it and report on the status of the IP addresses, some scanners are offered freely or through a third-party.

arp

Able to view local ARP table, the command allows administrator's the ability to see and manipulate the ARP table on a system.

route

A command used to display routing tables and modify static routes on a Windows system or Linux.

curl

A command tool designed to transfer data to or from a server, without user interaction

theHarvester

A python-based program designed to assist penetration testers in the gathering of information during the reconnaissance portion (OSINT) of a penetration test.

sn1per

A Linux-based tool used by penetration testers to combine many recon tools into a single framework, the attacker has the ability to choose the level of intrusiveness on their victim.

scanless

A command utility that interfaces with websites (separate hosts) that can perform port scans as part of a penetration test, your original IP is always hidden as the scan source.

dnsenum

A Perl script designed to enumerate DNS information, this can be used to collect information such as user names and IP addresses of targeted systems.

Nessus

A network-vulnerability scanner available from Tenable Network Security, one the leading scanners available in today's market.

Cuckoo

A sandbox used for malware analysis, its open source, free software that can run Linux/Windows.

head

A utility designed to return the first lines of a file, depending on what the writer of the code wants.

tail

A utility designed to return the last lines of a file, depending on what the writer of the code wants.

cat

A Linux command that is used to create and manipulate files

grep

find text inside files that match patterns of file contents you're searching, search many files at a time

chmod

A Linux command used to change access permissions of a file such as R,W,X

logger

A Linux command that lets you add log file information to a file.

SSH

A encrypted console communication on TCP/22 to help manage networks through unsecure spaces, this replaces Telnet.

Powershell

This is the command line for system administrators that use a .ps1 file extension.

Python

A computer language commonly used for scripting and data analysis tasks facing system administrators and security personnel, uses the file extension .py

OpenSSL

A toolkit and crypto library for SSL/TLS, this creates x.509 certificates and much more.

Tcpreplay

A free open source utility for editing and replaying previously captured network traffic, as a tool it specifically replays PCAP files on a network.

tcpdump

Utility designed to analyze network packets either from a network connection or a recorded file.

Wireshark

Application that captures and analyzes network packets, examines individual packets, monitor conversations, carve out files and more.

dd

A Linux command used to convert and copy files.

Memdump

A program that dumps system memory to the standard output stream, skipping over any holes in the memory maps, everything happens in the memory and can be seen by third-party tools

WinHex

A universal hexadecimal editor for Windows 10, able to disk clone, edit disk/files, secure wipe and more

FTK imager

A commercial program, free to use, and is designed to capture an image of a hard drive.

autopsy

A Windows tools that performs digital forensics of hard drives, smartphones and more, able to extract many different data types

Exploitation frameworks

A pre-built tool kit used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.

Password crackers

Software programs used to identify an unknown or forgotten password, many forms, but all capable of getting into systems.

Data sanitization

The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done, a one-way trip.

incident response plans

A plan that describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network.

incident response process

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Incident response tabletop

An IR exercise that represents the closest simulation of a disaster recovery plan, making sure key players are present and go through their checklist of duties to perform.

Incident Response Exercises

tabletop, walkthroughs, simulations

Attack Frameworks

MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain

IR Stakeholder Management

The team responsible to keep a good relationship with IT, either external or internal customers who are what make IT exist.

MITRE ATT&CK

A framework that is not-for-profit that determines actions of attackers to understand the methods and identify attack techniques and block future attacks

The Diamond Model of Intrusion Analysis

Helps guide analysts to intrusions and applies specific principles to intrusion analysis, looks simple but is very complex.

Cyber Kill Chain

A systematic outline of the steps of a cyberattack, introduced at Lockheed Martin in 2011, seven phases based on a military concept.

IR Communication Plan

Part of the IR effort that answers the preceding questions and defines responsibilities for communication is a key element to developed during the prep phase, ensures that a contact list is made when disaster hits.

Disaster Recovery Plan

This plan defines the data and resources necessary and the steps required to restore critical organizational processes.

Business Continuity Plan

Guidelines and arrangements for response to disruption of critical business functions, to restore and MAINTAIN operation and create profit.

COOP (Continuity of operations planning)

This plan determines which subset of normal operations need to be continued during the periods of disruption.

Incident response team

The personnel that are composed to respond to an incident.

IR Retention Policies

This policy determines what data storage is kept secure and needed if operations were to be halted by a disaster.

Vulnerability Scan Output

Provides information as to the systems that are running, any addt. services that are listening on the network, and what the known vulnerabilities are against each of those.

SIEM dashboards

Sensors, Sensitivity, Alerts, Correlations, and Trends

SIEM Sensitivity

In a SIEM, the quality of being quick to detect or respond to slight changes, signals, or influences (important data)

SIEM Alerts

The primary communication in the SIEM that visualizes raw data, log info, and identifies security events.

SIEM Correlation

In a SIEM, the process of establishing a relationship between two variables, this is extremely useful because it can identify a large amount of malicious activity on networks much easier.

SIEM Sensors

In a SIEM, provides security data into the datastore.

Network Log Files

Files contained with switches, routers, APs, VPN concentrators, and other infrastructure devices, any routing updates or authentication issues log these files.

Application Log Files

A file specific to apps:
Windows - Event Viewer / Application log
Linux - macOS / - /var/log

Security Log Files

Files related to detailed security information, security information, security devices, malicious activity, etc.

Web Log Files

Files related to web server access, errors trying to access, malicious activity, and specific server activity.

DNS Log Files

Files that view lookup requests to websites, IP addresses, and identify queries to bad URLs

Authentication Log Files

Files that know who are logged into a system and who aren't, correlates with other devices.

Dump Files

Able to store all contents of memory into a diagnostic file, some applications have their own process.

VoIP and call messages

Files that show inbound and outbound call info, security information such as audit trails/authentications, and SIP traffic

Session Initiation Protocol (SIP) traffic

A text-based protocol used for signaling voice, video, and messaging apps over IP, alerts on unusual numbers or country codes.

Syslog

System Logging protocol that MOVES data into log files on a log server

Rsyslog

Open source variant of syslog that follows the specifications but also provides addt. features such as content-based filtering

Syslog-ng

Open source variant of syslog that follows the specifications but also provides addt. features such as content-based filtering and can tag, classify, and correlate in real time, which improves SIEM performance.

journalctl

A command in Linux systems that makes you able to view logs in plaintext and to search/filter log servers.

NXLog

A multiplatform log management tool designed to assist in the use of log data during investigations, can identify security issues, policy violations, and operational problems within a system.

Bandwidth monitors

A utility designed to measure network bandwidth usage over time, the higher it is the more resources are being used, hence slower systems.

Metadata

data that describes other data:
Email - header details, sending servers, dest. address
Mobile - type of phone, GPS
Web - OS, browser type, IP address
Files - name, address, phone number, etc.

Netflow

a tool used to gather information about data flowing through a network and shared between devices, the standard collection method, useful in intrusion investigations

IPFIX

The newer, NetFlow-based standard, has flexible data support

Protocol Analyzer Output

Software that can capture and decode network traffic through packet sniffing, can identify unknown traffic, and verify packet filtering and security controls, able to view plain-language description of app data

sFlow

Only a portion of network traffic is monitored and its usually embedded in infrastructure (switches, routers)

Legal Hold

technique to preserve relevant information to prepare for litigation, data for the most part is preserved in case of potential lash back or unknown issues in the future.

Digital Forensics Documentation

legal reasons, video, admissibility, chain of custody, time stamps, time offset, tags, reports, event logs, interviews

Admissibility

Determines what data can be used in court and can't

Chain of Custody

A list of all people who came into possession of an item of evidence, make sure to label everything so you ensure who was in contact with evidence

Time offset

Identify times on tape recordings, for example, rather than the actual time.

Acquisition Types

Snapshot, Disk, RAM, Swap/pagefile, OS, Devices, Firmware, Cache, Network, or Artifacts.

Artifacts

Something digital that a human left behind as evidence, from flash memory, recycle bin, log info, etc.

Swap/Pagefile

A place to store RAM when memory is deleted, can also store parts of applications too.

cloud forensics

Adds complexity and devices are not in you control, fully, sometimes may have limited access due to maintenance, and certain laws for the cloud may be different around the world.

Right to Audit Clauses

A legal agreement to have the option to perform a security audit at any time, ability to verify security before a breach occurs.

E-discovery

The process of identifying and retrieving relevant electronic information to support litigation efforts, doesn't include analysis