Download SANS FOR508 exam questions with answers and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
SANS |\FOR508 |\exam |\questions |\with |\answers
Dwell |\Time |- |\CORRECT |\ANSWERS |\✔✔The |\time |\an |\attacker |\has |
remained |\undetected |\within |\a |\network. |\An |\important |\metric |\to |
track |\as |\it |\directly |\correlates |\with |\the |\ability |\of |\an |\attacker |\to |
accomplish |\their |\objectives. Breakout |\Time |- |\CORRECT |\ANSWERS |\✔✔Time |\is |\takes |\an |\intruder |\to |\begin |\moving |\laterally |\once |\they |\have |\an |\initial |\foothold |\in |\the |
network. Main |\Threat |\Actors |- |\CORRECT |\ANSWERS |\✔✔APT |(Nation |\State |
Actors) Organized |\Crime Hacktivists NIST |- |\CORRECT |\ANSWERS |\✔✔US |\National |\Institute |\for |\Standards |
and |\Technology Six-Step |\Incident |\Response |\Process |- |\CORRECT |\ANSWERS |\✔✔1: |
Preparation 2: |\Identification 3: |\Containment |\and |\Intelligence |\Development
4: |\Eradication |\and |\Remediation 5: |\Recovery 6: |\Follow-up Six-Step |- |\Preparation |- |\CORRECT |\ANSWERS |\✔✔Incident |\response |
methodologies |\emphasize |\preparation-not |\only |\establishing |\a |
response |\capability |\so |\the |\organization |\is |\ready |\to |\respond |\to |
incidents |\but |\also |\preventing |\incidents |\by |\ensuring |\that |\systems, |
networks, |\and |\applications |\are |\sufficiently |\secure. Six-Step |- |\Identificatoin |- |\CORRECT |\ANSWERS |\✔✔Identification |\is |
triggered |\by |\a |\suspicious |\event. |\This |\could |\be |\from |\a |\security |
appliance, |\a |\call |\to |\the |\help-desk, |\or |\the |\result |\of |\something |
discovered |\via |\threat |\hunting. |\Event |\validation |\should |\occur |\and |\a |
decision |\made |\as |\to |\the |\severity |\of |\the |\finding |(not |\valid |\events |
lead |\to |\a |\full |\incident |\response). |\Once |\an |\incident |\response |\has |
begun, |\this |\phase |\is |\used |\to |\better |\understand |\the |\findings |\and |
begin |\scoping |\the |\network |\for |\additional |\compromise. Six |\Step |- |\Containment |\and |\Intelligence |\development |- |\CORRECT |
ANSWERS |\✔✔In |\this |\phase, |\the |\goal |\is |\to |\rapidly |\understand |\the |
adversary |\and |\begin |\crafting |\a |\containment |\strategy. |\Responders |
must |\identify |\the |\initial |\vulnerability |\or |\exploit, |\how |\the |\attackers |
are |\maintaining |\persistence |\and |\laterally |\moving |\in |\the |\network, |
and |\how |\command |\and |\control |\is |\being |\accomplished. |\in |
conjunction |\with |\the |\previous |\scoping |\phase, |\responders |\will |\work |\
during |\this |\phase |\is |\to |\improve |\the |\overall |\security |\of |\the |\network |
and |\to |\detect |\and |\prevent |\immediate |\reinfection. |\Some |\recovery |
models |\include -Improve |\Enterprise |\Authentication |\Model -Enhanced |\Network |\Visibility |
-Establish |\comprehensive |\Patch |\Management |\Program -Enforce |\Change |\Management |\Program -Centralized |\Logging |(SIM/SIEM) -Enhance |\Password |\Portal -Establish |\Security |\Awareness |\Training |\Program -Network |\Redesign Follow-Up |- |\CORRECT |\ANSWERS |\✔✔Follow-Up |\is |\used |\to |\verify |\the |
incident |\has |\been |\mitigated, |\the |\adversary |\has |\been |\removed, |\and |
additional |\countermeasures |\have |\been |\implemented |\correctly. |\This |
step |\combines |\additional |\monitoring, |\network |\sweeps |\looking |\for |
new |\breaches, |\and |\auditing |\the |\network |\9penetration |\tests |\and |
compliance) |\to |\ensure |\new |\security |\mechanisms |\are |\in |\place |\and |
functioning |\normally. Problem |\with |\the |\Six-Step |\incident |\response |\process |- |\CORRECT |
ANSWERS |\✔✔Few |\teams |\follow |\the |\process |\as |\prescribed. |\Pressure |
leading |\to |\immediately |\move |\to |\the |\Eradication/Remediation |\phase |
before |\true |\scoping |\and |\understanding |\of |\the |\incident |\occurs. |
Moving |\to |\eradication |\too |\early |\removes |\the |\benefits |\and |\
capabilities |\provided |\by |\cyber |\threat |\intelligence |\and |\intelligence- driven |\incident |\response |\doctrine. Whack-a-mole |- |\CORRECT |\ANSWERS |\✔✔The |\organization |\blindly |
chases |\the |\attacker |\throughout |\the |\network, |\making |\little |\overall |
progress. What |\drives |\the |\immediate |\eradication/remediation |\call |\to |\arms? |- |
CORRECT |\ANSWERS |\✔✔Fear |\of |\loosing |\data data |\deemed |\as |\too |\valuable, |\risk |\too |\high. Intelligence |\Development |- |\CORRECT |\ANSWERS |\✔✔-Tools, |
techniques, |\and |\procedures -Understanding |\adversary |\intent -Malware |\gathering -IOC |\Development -Campaign |\identification Containment/Active |\Defense |- |\CORRECT |\ANSWERS |\✔✔-Prevent |\or |
slow |\additional |\access |\during |\monitoring |\and |\collection |\phase -Full-scale |\host/network |\monitoring -Data |\decoy -Bit |\mangling
A |\remediation |\event |\should: |- |\CORRECT |\ANSWERS |\✔✔-Deny |\access |
to |\the |\environment -Eliminate |\the |\ability |\for |\the |\adversary |\to |\react |\to |\the |\remediation -Remove |\the |\presence |\of |\the |\adversary |\from |\the |\environment -Degrade |\the |\ability |\of |\the |\adversary |\to |\return Remediation |\consists |\of |\three |\steps: |- |\CORRECT |\ANSWERS |\✔✔- Posture |\for |\remediation -Execute |\remediation -Implement |\and |\apply |\additional |\security |\controls Visibility |- |\CORRECT |\ANSWERS |\✔✔With |\proper |\visibility, |\remediation |
can |(and |\should) |\begin |\on |\day |\ne |\of |\an |\incident. |\Visibility |\allows |
responders |\to |\initiate |\these |\actions |\much |\earlier |\in |\the |\response |
cycle, |\actively |\countering |\threats |\as |\they |\are |\found. Reactive |\Organization |- |\CORRECT |\ANSWERS |\✔✔-Incident |\starts |\when |\notification |\comes |\in -Call |\from |\government |\agency -Vendor |/threat |\information -Security |\appliance |\alert -'Five-alarm |\fire" |\response
Hunting |\Organization |- |\CORRECT |\ANSWERS |\✔✔-Actively |\looking |\for |
incidents -Known |\malware |\and |\variants -Patterns |\of |\activity: |\evil |\versus |\normal -Threat |\intelligence -Security |\patrols -Reduce |\adversary |\dwell |\time Primary |\goal |\of |\incident |\hunting |- |\CORRECT |\ANSWERS |\✔✔Reduce |
the |\dwell |\time |\of |\attackers What's |\a |\key |\component |\to |\building |\a |\hunt |\team? |- |\CORRECT |
ANSWERS |\✔✔Having |\a |\cyber |\threat |\intelligence |\capability |\residing |
inside |\your |\security |\team |\and |\feeding |\directly |\to |\the |\hunt |\team. A |\proper |\cyber |\threat |\intelligence |\capability |\will |\arm |\the |\hunting |
team |\with: |- |\CORRECT |\ANSWERS |\✔✔-Where |\to |\look -What |\to |\look |\for -Likelihood |\of |\attack TTPs |- |\CORRECT |\ANSWERS |\✔✔Tactics Techniques Procedures
Behavioral |\Indicators |- |\CORRECT |\ANSWERS |\✔✔Combine |\other |
indicators |\to |\form |\a |\profile. The |\weaponization |\phase |- |\CORRECT |\ANSWERS |\✔✔The |\phase |\the |
victim |\doesn't |\see |\happen |\but |\can |\very |\much |\detect. |\Weaponization |\is |\the |\act |\of |\placing |\malicious |\payload |\into |\a |\delivery |\vehicle. Exploitation |\phase |- |\CORRECT |\ANSWERS |\✔✔Will |\possibly |\have |
elements |\of |\a |\software |\vulnerability, |\a |\human |\vulnerability |\known |
as |"social |\engineering" |\or |\a |\hardware |\vulnerability |(rare). The |'persistence" |\in |\APT |\intrusions |\is |\manifested |\in |\two |\ways: |- |
CORRECT |\ANSWERS |\✔✔-Maintaining |\a |\presence |\on |\your |\network -Repeatedly |\attempting |\to |\gain |\entry |\to |\areas |\where |\presence |\is |
not |\established. Adversarial |\Tactics, |\Techniques, |\and |\Common |\Knowledge |(ATT&CK) |- |\CORRECT |\ANSWERS |\✔✔A |\model |\and |\framework |\for |\describing |\the |
actions |\an |\adversary |\may |\take |\while |\operating |\within |\an |\enterprise |
network. |\The |\model |\is |\designed |\to |\help |\characterize |\and |\describe |
post-compromise |\behavior. The |\Twelve |\tactic |\categories |\for |\ATT&CK |\were |\derived |\from? |- |
CORRECT |\ANSWERS |\✔✔The |\later |\stages |(Control, |\Maintain, |\and |\
execute) |\of |\the |\Seven-Stage |\Cyber |\Attack |\Lifecycle |(First |\articulated |
by |\Lockheed |\Martin |\as |\the |\Cyber |\Kill |\Chain) Tactics, |\such |\as |"Persistence" |\specify? |- |\CORRECT |\ANSWERS |
✔✔Common |\actions |\occurring |\during |\an |\attack Indicator |\of |\Compromise |(IOC) |- |\CORRECT |\ANSWERS |\✔✔Describes |
attacker |\tools |\and |\tradecraft |\using |\a |\rich |\and |\precise |\language |\that |\can |\be |\understood |\by |\both |\humans |\and |\security |\tools. |\Generally, |
they |\include |\a |\combination |\of |\Boolean |\expressions |\that |\can |\be |
used |\to |\identify |\characteristics |\of |\malware. Two |\types |\of |\IOC's |- |\CORRECT |\ANSWERS |\✔✔Host-Based Network-Based STIX |= |\Structured |\Threat |\Information |\eXpression |- |\CORRECT |
ANSWERS |\✔✔A |\collaborative |\community-driven |\effort |\to |\define |\and |
develop |\a |\standardized |\language |\to |\represent |\structured |\cyber |
threat |\information. |\The |\STIX |\language |\intends |\to |\convey |\the |\full |
range |\of |\potential |\cyber |\threat |\information |\and |\strives |\to |\be |\fully |
expressive, |\flexible, |\extensible, |\automatable, |\and |\as |\human-readable |\as |\possible.
Persistence |\Mechanism |- |\CORRECT |\ANSWERS |\✔✔Methods |\to |\keep |
malware |"persistent" |\across |\multiple |\reboots |\on |\a |\system. Systems |\involved |\in |\a |\compromise |\can |\be |\largely |\collected |\into |
three |\categories: |- |\CORRECT |\ANSWERS |\✔✔-Systems |\with |\active |
malware -Systems |\with |\Dormant |\Malware |(Not |\Active |\or |\Cleaned) -Systems |\without |\Tools |\or |\Malware |(Living |\off |\the |\Land) EDR |- |\CORRECT |\ANSWERS |\✔✔Enterprise |\Detection |\and |\Response SOC |- |\CORRECT |\ANSWERS |\✔✔Security |\Operations |\Center Detecting |\Compromised |\Endpoints |\Without |\Active |\Malware: |\Deep |
Dive |\Forensics |- |\CORRECT |\ANSWERS |\✔✔-Program |\Execution -File |\Opening |
-File |\Knowledge -Event |\Logs -Browser |\Usage Most |\popular |\Malware |\name |\on |\the |\planet. |- |\CORRECT |\ANSWERS |
✔✔svchost.exe
LOLBin |- |\CORRECT |\ANSWERS |\✔✔Living |\off |\the |\Land |\Binaries The |\LOLBAS |\project |- |\CORRECT |\ANSWERS |\✔✔Collects, |\Categorizes, |
and |\provides |\example |\usage |\of |\Living |\off |\the |\Land |\Binaries |
(LOLBin). |\Crated |\by |\Oddvar |\Moe |\and |\does |\an |\excellent |\job |\of |
collecting |\and |\categorizing |\relevant |\attacker |\use |\cases |\for |
legitimate |\Windows |\binaries. D-U-N-S |\number |- |\CORRECT |\ANSWERS |\✔✔Indicates |\a |\company's |
financial |\stability Flame |\and |\Stuxnet |- |\CORRECT |\ANSWERS |\✔✔Two |\high |\profile |
examples |\of |\code |\signing |\thefts CRL |- |\CORRECT |\ANSWERS |\✔✔Certificate |\revocation |\list. |\A |\list |\of |
certificates |\that |\a |\CA |\has |\revoked. |\Certificates |\are |\commonly |
revoked |\if |\they |\are |\compromised, |\or |\issued |\to |\an |\employee |\who |
has |\left |\the |\organization. ASEP's |- |\CORRECT |\ANSWERS |\✔✔Autostart |\Extension |\Points. |\Windows |"autoruns" Start |\values: |- |\CORRECT |\ANSWERS |\✔✔0x02 |(Automatic) 0x00 |(Boot |\start |\of |\a |\device)
