1. 1. pcregrep.
2. 1. SOX.
3. 3. It is commonly used by threat actors because it is also used in common legitimate applications.
4. 4. Mozilla/5.0 (X11; x86_64; rv:21.0) Gecko/20100101 Firefox/21.0.
5. 4. Analysis resulting in conclusive results.
6. 2. tcpdump uses UTC time, where Wireshark's packet list pane uses relative timestamps.
7. 3. A rule with priority 1 in a policy with priority 4.
8. 1. Actors, Actions, Assets, Attributes.
9. 1. To determine the format for emails within the organization in order to generate whale phishing targets from the publicly accessible directors list.
10. 1. As generic as possible.
11. 4. Virtual Alloc.
12. 1. At the network layer, the address is maintained from the sending computer to the destination computer.
13. 4. User Interaction: Required.
14. 3. Confidentiality | Integrity | Availability.
15. 3. Exploits are linked to observed vulnerabilities in the system.
16. 1. Name of the investigator, and 2. Date of collection.
17. 4. Changing the data doesn't affect integrity if the process is documented.
18. 3. Year of Birth.
19. 4. A flow involving a Tor exit node is identified as a potential threat.
20. 2. An internal host is sending large amounts of data out of the network.
21. 1. The pipe character (|).
22. 4. Confidentiality and availability are both affected, so both should be scored.
23. 3. The layer 3 address is hierarchical.
24. 4. A European company that has over 300 US shareholders.
25. 1. NetFlow would record 2 flows.
26. 4. Records to [hacme.com]:80 in NetFlow, where [hacme.com] is the correct IP address for the bank's web server.
27. 4. Actor: External | Action: Environmental.
28. 3. A copy of the files on a disk.
29. 2. DHCP pool depletion caused by excessively long lease time.
30. 1. To deter future attacks.
31. 2. SSL.
32. 4. Systems on the transmission path for card holder data which are on a public infrastructure (for example, the internet).
33. 3. The 5-tuple is unchanged throughout the journey from host to host.
34. 2. Analysis centers.
35. 4. Verification of suspected incident.
36. 4. To detect future threat.
37. 3. Attributes.
38. 2. query user.
39. 1. Nothing. The IDS has taken no action, so the file reached its intended target.
40. 2. /var/log/messages.
41. 4. Command and Control.
42. 2. An attacker has persistent access.
43. 3. SS[^D].
44. 4. Which sources of evidence, if any, should be acquired.
45. 3. Actions on objectives.
46. 2. Understanding of the context of each entry.
47. 3. To identify the appropriate flow.
48. 4. NBAR.
49. 4. Have all the customer effects from the incident been reset?
50. 1. By maintaining a unified time across all the devices in the network.