Which of the following is a technique used by attackers to make a message difficult to understand through the use of ambiguous language?
Answer : D
Obfuscation is a technique used to make data or code difficult to understand. It is often employed by attackers to conceal the true intent of their code or communications, making it harder for security professionals, automated tools, and others to analyze or detect malicious activity. Obfuscation can involve the use of ambiguous or misleading language, as well as more technical methods such as encoding, encryption, or the use of nonsensical variable names in source code to hide its true functionality.
XYZ Inc. was affected by a malware attack and James, being the incident handling and
response (IH&R) team personnel handling the incident, found out that the root cause of
the incident is a backdoor that has bypassed the security perimeter due to an existing
vulnerability in the deployed firewall. James had contained the spread of the infection
and removed the malware completely. Now the organization asked him to perform
incident impact assessment to identify the impact of the incident over the organization
and he was also asked to prepare a detailed report of the incident.
Which of the following stages in IH&R process is James working on?
Answer : C
James is working on the post-incident activities stage of the Incident Handling and Response (IH&R) process. After containing the spread of the infection and removing the malware, the focus shifts to assessing the impact of the incident on the organization and preparing a detailed report. This phase involves analyzing the extent of the damage, determining the cost of the attack, evaluating how well the incident was managed, and identifying lessons learned to improve future response efforts. The objective is to restore systems to normal operation, ensure no remnants of the threat remain, and implement measures to prevent recurrence. Reference: Incident Handler (ECIH v3) courses and study guides outline the IH&R process, emphasizing the importance of post-incident activities for organizational recovery and improvement of future security measures.
Bran is an incident handler who is assessing the network of the organization. He wants to detect ping sweep attempts on the network using Wireshark. Which of the following Wireshark filters would Bran use to accomplish this task?
Answer : B
In the context of using Wireshark, a popular network protocol analyzer, to detect ping sweep attempts on a network, the filter icmp.type==8 is used. ICMP (Internet Control Message Protocol) is utilized for sending error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP type 8 messages are echo requests, which are used by the ping command to test the reachability of a host on an IP network. A ping sweep consists of ICMP echo requests sent to multiple hosts to find which ones are alive. By applying the icmp.type==8 filter in Wireshark, Bran can isolate and examine the echo request messages, helping to identify ping sweep attempts, which are characterized by a high volume of ICMP echo requests over a broad range of IP addresses in a short period.
A US Federal Agency network was the target of a DoS attack that prevented and
impaired the normal authorized functionality of the networks. According to agency's
reporting timeframe guidelines, this incident should be reported within 2 h of
discovery/detection if the successful attack is still ongoing and the agency is unable to
successfully mitigate the activity.
Which incident category of US Federal Agency does this incident belong to?
Answer : B
In the context of US Federal Agencies, incidents are categorized based on their impact on operations, assets, or individuals. A DoS attack that prevents or impairs the authorized functionality of networks and is still ongoing without successful mitigation efforts typically falls under Category 2 (CAT 2). This category is designated for incidents that have a significant impact, requiring immediate reporting and response. The reporting timeframe of within 2 hours as mentioned aligns with the urgency associated with CAT 2 incidents, emphasizing the need for swift action to address the attack and restore normal operations. Reference: US Federal incident response guidelines and the Incident Handler (ECIH v3) courses outline the categorization of cybersecurity incidents, detailing the response protocols for each category, including the reporting timeframes.
John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique. Identify the type of attack John is performing on the target organization.
Answer : B
Pharming is a cyber attack intended to redirect a website's traffic to another, bogus website. By poisoning a DNS server's cache, attackers can redirect users from the site they intended to visit to one that is malicious, without the user's knowledge or any action on their part, such as clicking a deceptive link. This technique is particularly insidious because it can affect well-intentioned users who type the correct URL into their browsers but are still redirected. War driving involves searching for wireless networks from a moving vehicle, skimming refers to stealing credit card information using a device placed on ATMs or point-of-sale terminals, and pretexting is a form of social engineering where the attacker lies to obtain privileged data. Reference: The Incident Handler (ECIH v3) certification program covers a variety of cyber attacks and techniques, including DNS poisoning and pharming, explaining how attackers exploit vulnerabilities to redirect users to fraudulent sites.
Clark, a professional hacker, exploited the web application of a target organization by
tampering the form and parameter values. He successfully exploited the web
application and gained access to the information assets of the organization.
Identify the vulnerability in the web application exploited by the attacker.
Answer : A
The vulnerability exploited by Clark through tampering with form and parameter values to gain unauthorized access to information assets is indicative of Broken Access Control. Broken Access Control vulnerabilities occur when a web application does not properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to access unauthorized functionality or data, such as accessing other users' accounts, viewing sensitive files, and modifying other users' data.
Michael is a part of the computer incident response team of a company. One of his responsibilities is to handle email incidents. The company receives an email from an unknown source, and one of the steps that he needs to take is to check the validity of the email. Which of the following tools should he use?
Answer : B
Email Dossier is a tool designed to assist in the investigation of email incidents by analyzing and validating email headers and providing detailed information about the origin, routing, and authenticity of an email. When Michael is tasked with handling an email incident and needs to check the validity of an email received from an unknown source, Email Dossier can be utilized to trace the email's path, assess its credibility, and identify potential red flags associated with phishing or other malicious email-based attacks.