GCIH || 100% Correct Answers.
What people should be brought in as an incident response team? correct answers * Security
* Systems Admin
* Network Management
* Legal
* HR
* Public Affairs
* Disaster Recovery
* Union Rep
How should the incident response team be organized? correct answers With onsite people
Establish a baseline for response
What are some ways to prepare for issues? correct answers * System build checklists per system
type
* Establish comp time for the team
-
What should go into an emergency communications plan? correct answers * Create a call list and
establish methods of informing people quickly
* Get a conference bridge number that can be set up
* Print credit-card sized list of incident response team contact info
* Testing to verify people answer the phone
What should a war room contain? correct answers * Locking door
* Locking file cabinet
* No windows
What are the main training issues when training an incident response team? correct answers *
Creating forensics images under fire
* keyboard skills under fire
What should go into a jump bag? correct answers * Binary image creation software: dd, windd,
netcat
* forensic software
* Diagnosis software
* Bootable media
* USB Token RAM Device
* External Hard drive
* Ethernet Tap
* Patch Cables
* Laptop with Multiple OS
* Call list
* anti-static plastic bags
* Desiccants for moisture
,* Notebooks
* Jumpers
* Flashlight
* Screwdrivers
* female to female RJ-45
What is the goal of the identification phase? correct answers * gather events, analyze them,
determine whether or not there is an incident
What are some trends in the underground community? correct answers * Attack tools getting
easier to use
* High-quality, extremely functional tools
* Rise of the anti-disclosure movement
* Rise of hacktivism
What are software distro site attacks? correct answers * Software on a repository is hacked into
and software is altered to include a back door.
* ISR-Evilgrade listens to software to request update
* sends response with malware
* Currently supports Java, Winzip, WinAmp, OSX, OpenOffice, itunes, etc
Software distro site defenses correct answers * Check hashes across multiple mirrors
- check both MD5 and SHA-1
* Check PGP signatures if available
- be sure the key is trustworthy
* Test software before putting it in production
What are some general trends in attacking? correct answers * Worms are increasingly being used
to carry bots, backdoors, password crackers, and scanners
* Botnets are growing with self replicating code
* Distributed co-op attackers are very popular
What is reconnaissance? correct answers * Basically casing the joint
* generally script kiddies or people out to get a specific site
* gathering as much information as possible from open sources
What information can be gathered from domain name registration? correct answers * Address
* Phone numbers
* Points of contact
* authoritative domain name servers
How can WHOIS be used for research? correct answers * can gather contact names, DNS
information
* has information on registrar
* has information on IP blocks owned by the registrar
, Whois recon defenses correct answers * Preparation
- Just live with it, because that's the internet
- have real contact information with up to date records
* Identification
- can't really tell that anyone has looked you up
What is a DNS zone transfer? correct answers * dumps all records from DNS servers and can
show the attacker which machines are accessible on the internet
How is a zone transfer done in Windows? correct answers nslookup
server <authoritative server IP or name>
set type=any
ls -d <target domain>
How is a zone transfer done in Unix? correct answers dig @<DNS server IP> <target domain> -t
AXFR
What are DNS recon defenses? correct answers * Preparation
- do not allow zone transfers from just any system
- limit zone transfers so primary accepts these requests only by secondary and tertiary servers
- use split DNS
- external name info in external server
- internal name info in internal servers
- make sure DNS servers are hardened
* Identification
- Look for zone transfers in logs from port 53
What sites can be used for reconnaissance? correct answers * target's own sites
* press releases
* white papers
* design documents
* sample deliverables
* open positions
* key people
* contacts
* business partners
* ISP
What are some open source information locations? correct answers * Public databases
- Edgar database for public companies
- Job sites
- Hacker sites
What are some web site search defenses? correct answers * Preparation
- Limit and control information
- know what info is being given away and perform risk analysis
What people should be brought in as an incident response team? correct answers * Security
* Systems Admin
* Network Management
* Legal
* HR
* Public Affairs
* Disaster Recovery
* Union Rep
How should the incident response team be organized? correct answers With onsite people
Establish a baseline for response
What are some ways to prepare for issues? correct answers * System build checklists per system
type
* Establish comp time for the team
-
What should go into an emergency communications plan? correct answers * Create a call list and
establish methods of informing people quickly
* Get a conference bridge number that can be set up
* Print credit-card sized list of incident response team contact info
* Testing to verify people answer the phone
What should a war room contain? correct answers * Locking door
* Locking file cabinet
* No windows
What are the main training issues when training an incident response team? correct answers *
Creating forensics images under fire
* keyboard skills under fire
What should go into a jump bag? correct answers * Binary image creation software: dd, windd,
netcat
* forensic software
* Diagnosis software
* Bootable media
* USB Token RAM Device
* External Hard drive
* Ethernet Tap
* Patch Cables
* Laptop with Multiple OS
* Call list
* anti-static plastic bags
* Desiccants for moisture
,* Notebooks
* Jumpers
* Flashlight
* Screwdrivers
* female to female RJ-45
What is the goal of the identification phase? correct answers * gather events, analyze them,
determine whether or not there is an incident
What are some trends in the underground community? correct answers * Attack tools getting
easier to use
* High-quality, extremely functional tools
* Rise of the anti-disclosure movement
* Rise of hacktivism
What are software distro site attacks? correct answers * Software on a repository is hacked into
and software is altered to include a back door.
* ISR-Evilgrade listens to software to request update
* sends response with malware
* Currently supports Java, Winzip, WinAmp, OSX, OpenOffice, itunes, etc
Software distro site defenses correct answers * Check hashes across multiple mirrors
- check both MD5 and SHA-1
* Check PGP signatures if available
- be sure the key is trustworthy
* Test software before putting it in production
What are some general trends in attacking? correct answers * Worms are increasingly being used
to carry bots, backdoors, password crackers, and scanners
* Botnets are growing with self replicating code
* Distributed co-op attackers are very popular
What is reconnaissance? correct answers * Basically casing the joint
* generally script kiddies or people out to get a specific site
* gathering as much information as possible from open sources
What information can be gathered from domain name registration? correct answers * Address
* Phone numbers
* Points of contact
* authoritative domain name servers
How can WHOIS be used for research? correct answers * can gather contact names, DNS
information
* has information on registrar
* has information on IP blocks owned by the registrar
, Whois recon defenses correct answers * Preparation
- Just live with it, because that's the internet
- have real contact information with up to date records
* Identification
- can't really tell that anyone has looked you up
What is a DNS zone transfer? correct answers * dumps all records from DNS servers and can
show the attacker which machines are accessible on the internet
How is a zone transfer done in Windows? correct answers nslookup
server <authoritative server IP or name>
set type=any
ls -d <target domain>
How is a zone transfer done in Unix? correct answers dig @<DNS server IP> <target domain> -t
AXFR
What are DNS recon defenses? correct answers * Preparation
- do not allow zone transfers from just any system
- limit zone transfers so primary accepts these requests only by secondary and tertiary servers
- use split DNS
- external name info in external server
- internal name info in internal servers
- make sure DNS servers are hardened
* Identification
- Look for zone transfers in logs from port 53
What sites can be used for reconnaissance? correct answers * target's own sites
* press releases
* white papers
* design documents
* sample deliverables
* open positions
* key people
* contacts
* business partners
* ISP
What are some open source information locations? correct answers * Public databases
- Edgar database for public companies
- Job sites
- Hacker sites
What are some web site search defenses? correct answers * Preparation
- Limit and control information
- know what info is being given away and perform risk analysis
