APPENDIX A

Answers to the “Check Your Understanding” Questions

2. D. Cyberwarfare is a subset of information warfare (IW). Its objective is to disrupt (availability), corrupt (integrity), or exploit (confidentiality or privacy). It can be directed against military forces, critical infrastructures, or other national interests, such as economic targets. It involves several teams that work together. A botnet might be one of several tools used for launching the attack.

3. A. A security information and event management system (SIEM) combines data from multiple sources to help SOC personnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources to implement preventive measures.

4. C, D, F. Technologies in a SOC should include the following:

• Event collection, correlation, and analysis

• Security monitoring

• Security control

• Log management

• Vulnerability assessment

• Vulnerability tracking

• Threat intelligence

Proxy server, user authentication, and intrusion prevention systems (IPS) are security devices and mechanisms deployed in the network infrastructure and managed by the network operations center (NOC).

5. C. The term is used to describe gray hat hackers who rally and protect for a cause.

6. A. (ISC)² is an international nonprofit organization that offers the CISSP certification.

7. B. An incident responder is a Tier 2 security professional in an SOC. If the responder cannot resolve the incident ticket, the incident ticket should be escalated to the next-tier support, a Tier 3 subject matter expert. A Tier 3 SME would further investigate the incident.

8. A. In a typical SOC, the Tier 1 personnel are called alert analysts, also known as cyberoperations analysts.

9. D. A rogue wireless hotspot is a wireless access point running in a business or an organization without the official permission from the business or organization.

2. A. The net command is a very important command in Windows. Some common net commands include the following:

• net accounts: Sets password and logon requirements for users

• net session: Lists or disconnects sessions between a computer and other computers on the network

• net share: Creates, removes, or manages shared resources

• net start: Starts a network service or lists running network services

• net stop: Stops a network service

• net use: Connects, disconnects, and displays information about shared network resources

• net view: Shows a list of computers and network devices on the network

3. C. An automatic startup will start the service automatically when the PC starts. The manual startup process will occur when the application is launched by a user. There is no boot, start, or startup service type that can be configured.

4. D. The types of commands that PowerShell can execute include the following:

• Cmdlets: Perform an action and return an output or object to the next command that will be executed

• PowerShell scripts: Files with a .ps1 extension that contain PowerShell commands that are executed

• PowerShell functions: Pieces of code that can be referenced in a script

5. B. The registry contains information about applications, users, hardware, network settings, and file types. The registry also contains a unique section for every user, which contains the settings configured by that particular user.

6. B. There are more than 20 releases and versions of the Windows operating system. The Windows XP release introduced 64-bit processing to Windows computing.

7. D. If the ping from one host to another host on a remote network is successful, this indicates that the default gateway is operational. In this scenario, if a ping from one host to the default gateway failed, it is possible that some security features are applied to the router interface, preventing it from responding to ping requests.

8. C. The nslookup command was created to allow a user to manually query a DNS server to resolve a given host name. The ipconfig /displaydns command only displays previously resolved DNS entries. The tracert command was created to examine the path that packets take as they cross a network and can resolve a hostname by automatically querying a DNS server. The net command is used to manage network computers, servers, printers, and network drives.

9. B. CLI commands are typed into the Command Prompt window of the Windows operating system. The cd command is used to change the directory to the Windows root directory.

10. A. A 32-bit operating system is capable of supporting approximately 4 GB of memory. This is because 2^32 is approximately 4 GB.

11. C. Network applications have specific TCP or UDP ports that can be left open or blocked in Windows Firewall. Disabling automatic IP address assignment may result in the computer not being able to connect to the network at all. Enabling MAC address filtering is not possible in Windows and would only block specific network hosts, not applications. Changing default usernames and passwords will secure the computer from unauthorized users, not from applications.

12. A. The Windows Task Manager utility includes a Users tab from which the system resources consumed by each user can be displayed

2. C. Linux is an open source operating system and any person can access the source code, inspect it, modify it, and recompile it. Linux distributions are maintained by a community of programmers, are designed to be connected to a network, and do not have to provide free support.

3. D. In Linux, services are managed using configuration files. When the service starts, it looks for its configuration files, loads them into memory, and adjusts itself according to the settings in the files.

4. B. A graphical user interface (GUI) is considered to be more user-friendly because it presents the operating system with an interface and icons that make it easy to locate applications and complete tasks.

5. B. The Quicklist is accessed by right-clicking any application hosted on the Launcher. Quicklist allows access to a few tasks for the specific application.

6. C. A process is a running instance of a computer program. Multitasking operating systems can execute multiple processes at the same time. A process ID (PID) is used to identify a process. The ps or top command can be used to see what processes are currently running on a computer.

7. B. PenTesting is known as penetration testing and includes tools that are used to search for vulnerabilities in a network or computer by attacking it.

8. B. The basic best practices for device hardening are as follows:

• Ensure physical security.

• Minimize installed packages.

• Disable unused services.

• Use SSH and disable the root account login over SSH.

• Keep the system updated.

• Disable USB auto-detection.

• Enforce strong passwords.

• Force periodic password changes.

• Keep users from reusing old passwords.

• Review logs regularly.

9. B. The file permissions are always displayed in the User, Group, and Other order. In the example displayed, the file has the following permissions:

• The dash (-) means that this is a file. For directories, the first dash would be replaced with a “d”.

• The first set of characters is for user permission (rwx). The user, sales, who owns the file can read, write, and execute the file.

• The second set of characters is for group permissions (rw-). The group, staff, who owns the file can read and write to the file.

• The third set of characters is for any other user or group permissions (r--). Any other user or group on the computer can only read the file.

2. B. The transport layer of the OSI model has several responsibilities. One of the primary responsibilities is to segment data into blocks that can be reassembled in proper sequence at the destination device.

3. C. When a network device has to communicate with a device on another network, it broadcasts an ARP request asking for the default gateway MAC address. The default gateway (RT1) unicasts an ARP reply with its MAC address.

4. D. ARP, or the Address Resolution Protocol, works by mapping a destination MAC address to a destination IPv4 address. The host knows the destination IPv4 address and uses ARP to resolve the corresponding destination MAC address.

5. A. FTP is a client/server protocol. FTP requires two connections between the client and the server and uses TCP to provide reliable connections. With FTP, data transfer can happen in either direction. The client can download (pull) data from the server or upload (push) data to the server.

6. B, C. The OSI transport layer is functionally equivalent to the TCP/IP transport layer, and the OSI network layer is equivalent to the TCP/IP Internet layer. The OSI data link and physical layers together are equivalent to the TCP/IP network access layer. The OSI session layer (with the presentation layer) is included within the TCP/IP application layer.

7. A. The TCP/IP Internet layer provides the same function as the OSI network layer. The transport layer of both the TCP/IP and OSI models provides the same function. The TCP/IP application layer includes the same functions as OSI Layers 5, 6, and 7.

8. D. The IPv6 address 2001:0000:0000:abcd:0000:0000:0000:0001 in its most compressed format would be 2001:0:0:abcd::1. The first two hextets of zeros would each compress to a single zero. The three consecutive hextets of zeros can be compressed to a double colon ::. The three leading zeros in the last hextet can be removed. The double colon :: can only be used once in an address.

9. B, C, D. DNS, DHCP, and FTP are all application layer protocols in the TCP/IP protocol suite. ARP and PPP are network access layer protocols, and NAT is an Internet layer protocol in the TCP/IP protocol suite.

10. D. A default gateway is only required to communicate with devices on another network. The absence of a default gateway does not affect connectivity between devices on the same local network.

11. D. When all devices need to receive the same message simultaneously, the message would be delivered as a broadcast. Unicast delivery occurs when one source host sends a message to one destination host. The sending of the same message from a host to a group of destination hosts is multicast delivery. Duplex communications refers to the ability of the medium to carry messages in both directions.

2. C. An Ethernet switch examines the source MAC address of an incoming frame. If the source MAC address is not in the MAC address table, the switch will add it to the table with the associated ingress Ethernet port.

3. D. An intermediary device sends network messages toward a final destination. Examples of intermediary devices include a firewall, router, switch, multilayer switch, and wireless router.

4. C. TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates authentication and authorization into two distinct processes. Both protocols are supported by the Cisco Secure ACS software.

5. D. An access point can be manually set to a specific frequency band or channel in order to avoid interference with other wireless devices in the area.

6. C. Intrusion detection systems (IDSs) use a set of rules, referred to as signatures, to identify malicious traffic on the network.

7. A. Devices connected to the Ethernet star topology connect to either a hub or a switch.

8. C. There are two methods that can be used to set date and time settings on network devices. Manual configuration and automatically using the Network Time Protocol (NTP). NTP keeps the time across all devices synchronized by using a hierarchical system of sources.

9. B. SNMP is an application layer protocol that allows administrators to manage and monitor devices on the network such as routers, switches, and servers.

2. B. The best description of Trojan horse malware, and what distinguishes it from viruses and worms, is that it appears as useful software but hides malicious code. Trojan horse malware may cause annoying computer problems, but can also cause fatal problems. Some Trojan horses may be distributed over the Internet, but they can also be distributed by USB memory sticks and other means. Specifically targeted Trojan horse malware can be some of the most difficult malware to detect.

3. D. Malware can be classified as follows:

• Virus (self replicates by attaching to another program or file)

• Worm (replicates independently of another program)

• Trojan horse (masquerades as a legitimate file or program)

• Rootkit (gains privileged access to a machine while concealing itself)

• Spyware (collects information from a target system)

• Adware (delivers advertisements with or without consent)

• Bot (waits for commands from the hacker)

• Ransomware (holds a computer system or data captive until payment is received)

4. B. Malware can be classified as follows:

• Virus (self-replicates by attaching to another program or file)

• Worm (replicates independently of another program)

• Trojan horse (masquerades as a legitimate file or program)

• Rootkit (gains privileged access to a machine while concealing itself)

• Spyware (collects information from a target system)

• Adware (delivers advertisements with or without consent)

• Bot (waits for commands from the hacker)

• Ransomware (holds a computer system or data captive until payment is received)

5. D. Hacktivism is a term used to describe cyberattacks carried out by people who are considered political or ideological extremists. Hacktivists attack people or organizations that they believe are enemies to the hacktivist agenda.

6. Preventing users from accessing network resources is a denial-of-service attack. Being able to steal data from the network servers may be the objective after a reconnaissance attack gathers information about the target network and system. Redirecting data traffic so it can be monitored is a man-in-the-middle attack.

7. A. The Nmap tool is a port scanner that is used to determine which ports are open on a particular network device. A port scanner is used before launching an attack.

8. D. Common ways used to crack Wi-Fi passwords include social engineering, brute-force attacks, and network sniffing.

9. A. Phishing uses deception to convince people to divulge information. Hactivism is hacking done for a specific cause such as political or social reasons. A script kiddie is an inexperienced hacker who uses free scripts, software, and tools. A denial-of-service (DoS) attack causes one or more services to be inaccessible or not work.

10. A. Worm malware can execute and copy itself without being triggered by a host program. It is a significant network and Internet security threat.

11. A. Network security personnel must be familiar with port numbers in order to identify the service being attacked. Well-known port number 21 is used to initiate an FTP connection to an FTP server. Well-known port 20 is then used to transfer data between the two devices. If the device connecting to the FTP server is unknown and launching an attack, the type of attack might be an FTP Trojan horse.

12. D. An email attachment that appears as valid software but actually contains spyware shows how malware might be concealed. An attack to block access to a website is a DoS attack. A hacker uses search engine optimization (SEO) poisoning to improve the ranking of a website so that users are directed to a malicious site that hosts malware or uses social engineering methods to obtain information. A botnet of zombie computers is used to launch a DDoS attack.

13. B. Viruses can be malicious and destructive or simply change something about the computer, such as words or images, and not necessarily cause the computer to malfunction. Viruses can be spread through shared media such as CDs or memory sticks, but can also be delivered via the Internet and email.

2. C. Network security devices such as firewalls and intrusion prevention systems (IPSs) use preconfigured rules to identify malicious traffic on the network. Sometimes legitimate traffic is mistakenly identified as unauthorized or malicious. When legitimate traffic is incorrectly identified as unauthorized, it is known as a false positive.

3. C. When enabled on a switch, SPAN, or port mirroring, copies frames sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has an analysis device attached.

4. B. Wireshark is a network protocol analyzer used to capture network traffic. The traffic captured by Wireshark is saved in PCAP files and includes interface information and timestamps.

5. A. Cybercriminals use SQL injections to breach a relational database, create malicious SQL queries, and obtain sensitive data.

6. C. Wireshark is a network protocol analyzer used to capture network traffic. The traffic captured by Wireshark is saved in PCAP files and includes interface information and timestamps.

7. C. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies. One of the essential functions of SIEM is correlation of logs and events from different systems in order to speed the detection and reaction to security events.

8. D. A network TAP is a common technology that is used to capture traffic for monitoring the network. The TAP is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.

9. C. DHCP starvation attacks create a denial of service for network clients. The attacker sends DHCP discovery messages that contain fake MAC addresses in an attempt to lease all of the IP addresses. In contrast, DHCP spoofing occurs when a cybercriminal configures a rogue DHCP server to provide network clients with incorrect IP configuration information.

10. A. In a DoS, or denial-of-service, attack, the goal of the attacker is to prevent legitimate users from accessing network services.

11. C. NetFlow is a Cisco technology that runs on Cisco routers and multilayer switches and that gathers statistics on forwarded packets.

2. D. When a layered defense-in-depth security approach is used, layers of security are placed through the organization—at the edge, within the network, and on endpoints. The layers work together to create the security architecture. In this environment, a failure of one safeguard does not affect the effectiveness of other safeguards.

3. C. Authentication methods are used to strengthen access control systems. It is important to understand the available authentication methods.

4. B. With privilege escalation, vulnerabilities are exploited to grant higher levels of privilege. After the privilege is granted, the threat actor can access sensitive information or take control of the system.

5. C, D. RADIUS is an open-standard AAA protocol using UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting. It combines authentication and authorization into one process.

6. C. One of the components in AAA is authorization. After a user is authenticated through AAA, authorization services determine which resources the user can access and which operations the user is allowed to perform.

7. A. Business policies set a baseline of acceptable use. Company policies establish the rules and conduct and the responsibilities of both employees and the employer. Company policies protect the rights of the workers as well as the business interests of the company.

8. B. One of the components in AAA is accounting. After a user is authenticated through AAA, AAA servers keep a detailed log of exactly what actions the authenticated user takes on the device.

9. B. The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS). AIS enables the real-time exchange of cyberthreat indicators (e.g., malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. federal government and the private sector.

10. D. The remote access policy section of a corporate security policy identifies how remote users can access a network and what is accessible via remote connectivity.

11. A. AAA authorization is implemented immediately after the user is authenticated against a specific AAA data source.

2. D. Because only the sender and receiver know the secret key, only parties that have access to that key can compute the digest of an HMAC function. This defeats man-in-the-middle attacks and provides authentication of where the data originated.

3. B. Data confidentiality is ensured through symmetric encryption algorithms, including DES, 3DES, and AES.

4. D. Code signing is used to verify the integrity of executable files downloaded from a vendor website. Code signing uses digital certificates to authenticate and verify the identity of a website.

5. A, C. MD5, HMAC, and SHA are hashing algorithms.

6. D. DH is an asymmetric mathematical algorithm that allows two computers to generate an identical shared secret, without having communicated before. Asymmetric key systems are extremely slow for any sort of bulk encryption. It is common to encrypt the bulk of the traffic using a symmetric algorithm such as DES, 3DES, or AES, and use the DH algorithm to create keys that will be used by the symmetric encryption algorithm.

7. B. A Keyed-hash message authentication code (HMAC and KHMAC) is a type of message authentication code that uses an additional secret key as input to the hash function. This adds authentication to integrity assurance. When two parties share a secret key and use HMAC functions for authentication, the received HMAC digest of a message indicates that the other party was the originator of the message (non-repudiation), because it is the only other entity possessing the secret key. 3DES is an encryption algorithm, and MD5 and SHA-1 are hashing algorithms.

8. D. In a hierarchical CA topology, CAs can issue certificates to end users and to subordinate CAs, which in turn issue their certificates to end users, other lower level CAs, or both. In this way, a tree of CAs and end users is built in which every CA can issue certificates to lower level CAs and end users. Only the root CA can issue a self-signing certificate in a hierarchical CA topology.

9. C. When data is encrypted, it is scrambled to keep the data private and confidential so that only authorized recipients can read the message. A hash function is another way of providing confidentiality.

10. C. Hashing can be used to detect accidental changes only. It is possible for an attacker to intercept a message, change it, recalculate the hash, and append it to the message. The receiving device would validate the appended hash.

11. B. To address the interoperability of different PKI vendors, IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527). The standard defines the format of a digital certificate.

12. A, E. A digital certificate class is identified by a number. The higher the number, the more trusted the certificate. The classes include the following:

• Class 0 is for testing purposes in which no checks have been performed.

• Class 1 is for individuals with a focus on verification of email.

• Class 2 is for organizations for which proof of identity is required.

• Class 3 is for servers and software signing for which independent verification and checking of identity and authority is done by the issuing certificate authority.

• Class 4 is for online business transactions between companies.

• Class 5 is for private organizations or governmental security.

13. A. In the CA authentication procedure, the first step when contacting the PKI is to obtain a copy of the public key of CA itself, called the self-signed certificate. The CA public key verifies all the certificates issued by the CA.

2. C. The Domain profile in Windows Firewall configuration is for connections to a trusted network, such as a business network, that is assumed to have an adequate security infrastructure.

3. A. The Common Vulnerability Scoring System (CVSS) is a risk assessment tool to convey the common attributes and severity of vulnerabilities in computer hardware and software systems.

4. C. There are four potential strategies for responding to risks that have been identified:

• Risk avoidance: Stop performing the activities that create risk.

• Risk reduction: Decrease the risk by taking measures to reduce vulnerability.

• Risk sharing: Shift some of the risk to other parties.

• Risk retention: Accept the risk and its consequences.

5. D. The major regulatory compliance options include:

• Federal Information Security Management Act of 2002 (FISMA): Specifies security standards for U.S. government systems and contractors to the U.S. government.

• Sarbanes-Oxley Act of 2002 (SOX): Sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms regarding the way in which corporations control and disclose financial information.

• Gramm-Leach-Bliley Act (GLBA): Established that financial institutions must ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

• Health Insurance Portability and Accountability Act (HIPAA): Requires that all patient personally identifiable healthcare information be stored, maintained, and transmitted in ways that ensure patient privacy and confidentiality.

6. B, D, F. IoT components, such as sensors, controllers, and network security cameras, are network endpoints when they are connected to a network. Routers, VPN appliances, and wireless access points are examples of intermediate devices.

7. C. Antimalware programs may detect viruses using three different approaches:

• Signature-based, by recognizing various characteristics of known malware files

• Heuristics-based, by recognizing general features shared by various types of malware

• Behavior-based, through analysis of suspicious activities

8. C. The SANS Institute describes three components of the attack surface:

• Network Attack Surface: Exploitation of vulnerabilities in networks

• Software Attack Surface: Exploitation of vulnerabilities in web, cloud, or host-based software applications

• Human Attack Surface: Exploitation of weaknesses in user behavior

9. C. The service accounts element of a server profile defines the type of service that an application is allowed to run on a given host.

10. B. The Base metric group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics:

• Exploitability metrics: Features of the exploit such as the vector, complexity, and user interaction required by the exploit

• Impact metrics: The impacts of the exploit rooted in the CIA triad of confidentiality, integrity, and availability

11. B. The steps in the Vulnerability Management Life Cycle include these:

• Discover: Inventory all assets across the network and identify host details, including operating systems and open services to identify vulnerabilities.

• Prioritize assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations.

• Assess: Determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification.

• Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.

• Remediate: Prioritize according to business risk and fix vulnerabilities in order of risk.

• Verify: Verify that threats have been eliminated through follow-up audits.

12. A. A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.

2. C. Various Windows host logs can have different event types. The Information event type records an event that describes the successful operation of an application, driver, or service.

3. A. Alert data is generated by IPS or IDS devices in response to traffic that violates a rule or matches the signature of a known security threat.

4. B. Tor is a software platform and network of peer-to-peer (P2P) hosts that function as routers. Users access the Tor network by using a special browser that allows them to browse anonymously.

5. D. NetFlow does not capture the entire contents of a packet. Instead, NetFlow collects metadata, or data about the flow, not the flow data itself. NetFlow information can be viewed with tools such as nfdump and FlowViewer.

6. C. Statistical data is created through the analysis of other forms of network data. Conclusions from these analyses can be used to describe or predict network behavior.

7. A. Some malware uses DNS to communicate with command-and-control (CnC) servers to exfiltrate data in traffic that is disguised as normal DNS query traffic.

8. C. AVC uses Cisco Next-Generation Network-Based Application Recognition (NBAR2) to discover and classify the applications in use on the network.

9. D. Transaction data focuses on the results of network sessions as reflected by the device logs kept by server processes, such as the details of a user’s visit to a website.

10. C. Syslog is important to security monitoring because network devices send periodic messages to the syslog server. These logs can be examined to detect inconsistencies and issues within the network.

11. B. Event Viewer in Windows can be used to review entries in various logs.

12. B, E. POP, POP3, and IMAP are protocols that are used to retrieve email from servers. SMTP is the default protocol that is used to send email. DNS may be used by the sender email server to find the address of the destination email server. HTTP is a protocol for send and receiving web pages.

2. A. Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

3. C. NIST describes the digital forensics process as involving the following four steps:

• Data collection: The identification of potential sources of forensic data and acquisition, handling, and storage of that data.

• Examination: Assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.

• Analysis: Drawing conclusions from the data. Salient features, such as people, places, times, events, and so on, should be documented.

• Reporting: Preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

4. B, D. Regular expressions allow forensics analysts to search through large quantities of text information for patterns of data. Some common operators used in regular expressions are the following:

• $     End of a line

• []     Any single value within the square brackets

• *      Preceding sub-expression zero or more times

• [^1]  Any character except those bound by the [^ and the ]

5. A. A false negative classification indicates that a security system has not detected an actual exploit.

6. B. The primary duty of a cybersecurity analyst is the verification of security alerts. In the Security Onion, the first place that a cybersecurity analyst will go to verify alerts is Sguil because it provides a high-level console for investigating security alerts from a wide variety of sources.

7. C. With data normalization various sources of data are combined into a common display format, which simplifies the searching for similar or relevant events.

8. B. Evidence can be classified as follows:

• Best evidence: This is evidence that is in its original state. It might be storage devices used by an accused or archives of files that can be proven to be unaltered.

• Corroborating evidence: This is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition.

• Indirect evidence: This evidence acts in combination with other facts to establish a hypothesis.

2. A. It is in the detection and analysis phase of the NIST incident response life cycle that the CSIRT identifies and validates incidents through continuous monitoring. The NIST defines four stages of the incident response life cycle.

3. D. It is in the preparation phase of the NIST incident response life cycle phase that the CSIRT is trained on how to respond to an incident.

4. A, B, C. The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Threat actors will use an exploit that gains the effect they desire, does it quietly, and avoids detection.

5. C. The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.

6. D. In the installation phase of the Cyber Kill Chain, the threat actor establishes a backdoor into the system to allow for continued access to the target.

7. A. The Discovery and Response element is used to record the timeline of events, the method of incident discovery, and what the response was to the incident. Incident Tracking is for recording general information about the incident.

8. B, E. The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Among other measures, such as regular vulnerability scanning and penetration testing, training web developers in securing code can help block potential exploitations on systems.

9. A. A chain of custody refers to the documentation of evidence collected about an incident that is used by authorities during an investigation.

10. A. There are many different types of CSIRTs and related information security organizations. Analysis centers use data from many sources to determine security incident trends that can help predict future incidents and provide early warning. This helps to mitigate the damages that incidents can cause.

11. C. A threat actor may send the weapon through web interfaces to the target server, either in file uploads or coded web requests. By analyzing the infrastructure storage path used for files, security measures can be implemented to monitor and detect malware deliveries through these methods.

12. B. The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

13. B. The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

1. Reconnaissance: The threat actor performs research, gathers intelligence, and selects targets.

2. Weaponization: The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.

3. Delivery: The weapon is transmitted to the target using a delivery vector.

4. Exploitation: The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.

5. Installation: The threat actor establishes a backdoor into the system to allow for continued access to the target.

6. Command and Control (CnC): The threat actor establishes command and control (CnC) with the target system.

7. Action on Objectives: The threat actor is able to take action on the target system, thus achieving the original objective.