AM I READY FOR AEGIS Am I Ready for AEGIS? 1 / 44 Where are you from? Select an answerAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCôte d'IvoireCabo VerdeCambodiaCameroonCanadaCentral African RepublicChadChileChinaColombiaComorosCongoCosta RicaCroatiaCubaCyprusCzechiaDemocratic Republic of the CongoDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatiniEthiopiaFijiFinlandFranceGabonGambiaGeorgiaGermanyGhanaGreeceGrenadaGuatemalaGuineaGuinea-BissauGuyanaHaitiHoly SeeHondurasHungaryIcelandIndiaIndonesiaIranIraqIrelandIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMauritaniaMauritiusMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew ZealandNicaraguaNigerNigeriaNorth KoreaNorth MacedoniaNorwayOmanPakistanPalauPalestine StatePanamaPapua New GuineaParaguayPeruPhilippinesPolandPortugalQatarRomaniaRussiaRwandaSaint Kitts and NevisSaint LuciaSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth KoreaSouth SudanSpainSri LankaSudanSurinameSwedenSwitzerlandSyriaTajikistanTanzaniaThailandTimor-LesteTogoTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited States of AmericaUruguayUzbekistanVanuatuVenezuelaVietnamYemenZambia 2 / 44 What is your education level? High School Associate Bachelor Master Doctorate 3 / 44 What is your current title? Select an answerSOC Analyst Tier 1SOC Analyst Tier 2SOC Analyst Tier 3Red TeamerPentesterThreat HunterCISONetwork Security AnalystNetwork Security EngineerSecurity EngineerSecurity ResearcherSystem Security AnalystSystem Security EngineerSource Code AuditorReverse EngineerMalware Analyst 4 / 44 What Industry do you work in? Select an answerAccountingAirlines/AviationAlternative Dispute ResolutionAlternative MedicineAnimationApparel/FashionArchitecture/PlanningArts/CraftsAutomotiveAviation/AerospaceBanking/MortgageBiotechnology/GreentechBroadcast MediaBuilding MaterialsBusiness Supplies/EquipmentCapital Markets/Hedge Fund/Private EquityChemicalsCivic/Social OrganizationCivil EngineeringCommercial Real EstateComputer GamesComputer HardwareComputer NetworkingComputer/Network SecurityConstructionConsumer ElectronicsConsumer GoodsConsumer ServicesCosmeticsDairyDefense/SpaceDesignE-LearningEducation ManagementElectrical/Electronic ManufacturingEntertainment/Movie ProductionEnvironmental ServicesEvents ServicesExecutive OfficeFacilities ServicesFarmingFinancial ServicesFine ArtFisheryFood ProductionFundraisingFood/BeveragesFurnitureGambling/CasinosGlass/Ceramics/ConcreteGovernment AdministrationGovernment RelationsGraphic Design/Web DesignHealth/FitnessHigher Education/AcadamiaHospital/Health CareHospitalityHuman Resources/HRImport/ExportIndividual/Family ServicesIndustrial AutomationInformation ServicesInformation Technology/ITInsuranceInternational AffairsInternational Trade/DevelopmentInternetInvestment Banking/VentureInvestment Management/Hedge Fund/Private EquityJudiciaryLaw EnforcementMechanical or Industrial EngineeringMarketing/Advertising/SalesMarket ResearchMaritimeMedia ProductionLaw Practice/Law FirmsLegal ServicesLegislative OfficeLeisure/TravelLibraryLogistics/ProcurementLuxury Goods/JewelryMachineryManagement ConsultingMedical EquipmentMental Health CareMilitary IndustryMining/MetalsMotion Pictures/FilmMuseums/InstitutionsMusicNanotechnologyNewspapers/JournalismNon-Profit/VolunteeringOil/Energy/Solar/GreentechOnline PublishingOther IndustryOutsourcing/OffshoringPackage/Freight DeliveryPackaging/ContainersPaper/Forest ProductsPerforming ArtsPharmaceuticalsPhilanthropyPhotographyPlasticsPolitical OrganizationPrimary/Secondary EducationPrintingProfessional TrainingProgram DevelopmentPublic Relations/PRPublic SafetyPublishing IndustryRailroad ManufactureRanchingReal Estate/MortgageRecreational Facilities/ServicesReligious InstitutionsRenewables/EnvironmentResearch IndustryRestaurantsRetail IndustrySecurity/InvestigationsSemiconductorsShipbuildingSporting GoodsSportsStaffing/RecruitingSupermarketsTelecommunicationsTextilesThink TanksTobaccoTranslation/LocalizationTransportationUtilitiesVenture Capital/VCVeterinaryWarehousingWholesaleWine/Spirits 5 / 44 How many years experience do you have in your field? 0-1 1-3 3-5 5+ 6 / 44 Since the cyberthreat landscape evolves continuously, do you consider yourself as an eager listener and an ongoing learner? Yes False 7 / 44 Do you think you have the ability to not lose sight of the forest for the trees, yet still to be able to see the trees? Yes No 8 / 44 Do you have any previous experience with SIEM products, elastic search or log collection? Yes No 9 / 44 Do you have a scripting experience? Yes No 10 / 44 Which of following command give you output of user shells and counts? root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin awk -F: ' {print $5} ' /etc/passwd | sort -n | uniq awk /etc/passwd -F: ‘ { print $6 } ‘ | sort -u | uniq -c awk -F: ' {print $7} ' /etc/passwd | sort | uniq -c awk -F: ' {print $7} ' /etc/passwd | sort -nr | uniq -d 11 / 44 Which Bash command syntax will execute regardless of whether the previous command fails? tar -c dir -xvf file.tar || cd dir mkdir $HOME/test && cat /etc/passwd tar -C dir -xvf file.tar &| cd dir mkdir $HOME/test |& cat /etc/passwd 12 / 44 Which keyboard shortcut let you search bash history? Esc + R Ctrl + H Ctrl + R Alt + R 13 / 44 You want to find credentials in files on Windows and Linux operating systems. Which command syntax can you use to find the text “passwords” inside of files? Get-ChildItem -Recurse . | Select-String -Pattern "assw" | Select-Object -Unique Path find . -readable -type f -exec grep -iH --include=*.{txt,php,conf} 'assw' {} \; for i in `ls -p | grep -v /`; do grep -iH "assw" $i; done All of the above 14 / 44 Which of the following technologies is NTLM associated with? SAML Active Directory OAuth RADIUS 15 / 44 From which log source it is possible to detect directory traversal attacks on apache? kern.log auth.log mysql.log access.log 16 / 44 Which of the following utilities, found in most versions of Linux, is useful for scheduling recurring tasks? cron whois scp oscap 17 / 44 For reviewing syslogs, which directory should be checked for most Linux distros? /home/log /var/log /log /var/syslog 18 / 44 Using which source it is possible to detect process injection Windows API requests? Eventlog Sysmon IIS Application logs Powershell scriptblock logging 19 / 44 Which one of the following protocols is used to collect information from all the network devices? Simple Network Management Protocol (SNMP) Network File system (NFS) Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) 20 / 44 IP fragmantation occurs when: The receiver is not ready for all the data from the sender. When there are more bytes in the IP packet than the size of the Maximum Transmission Unif of all links from sender to receiver. When there are more bytes in the IP packet than the size of the receiving TCP Windows. When there are more bytes in the payload that follows the IP header than the size of the Maximum Transmission Unif of all links from the sender to receiver. 21 / 44 The Time to Live (TTL) field/value found in the IP header are used to: Make sure all associated fragments arrive with a given window of time. Expire TCP segments in transit when the TTL value becomes 0 Flush DNS records from cache when the TTL value is exceeded Expire IP packets in transit when the TTL value becomes 0 22 / 44 Suppose a SYN packet is spoofed using a real IP address and then sent to a server that responds with a SYN/ACK to the actual IP address. How does the real IP address respond? With an acknowledgement since it did not send the SYN With a reset since it did not send the SYN With a duplicate SYN since it did not send the SYN With a TTL of 0 since it did not send the SYN 23 / 44 Which type of Windows log is most likely to contain information about a file being deleted? httpd logs Security logs System logs Configuration logs 24 / 44 Why are humans still the weakest link is cyber security? Threat actors spend their days thinking of new ways to exploit human vulnerabilities and are rewarded for their innovation. Average people do not spend all their time thinking about security and may feel powerless in preventing attacks. Cybersecurity practitioners may be the only people at their organizations who spend their workdays focused on prevention, protection and mitigation activities. All of the above. 25 / 44 What is risk, vulnerability and threat? Threat is the intersection of assets, threats, and vulnerabilities, vulnerability is what we’re trying to protect against, risk is a weakness or gap in our protection efforts. Threat is what we’re trying to protect against, vulnerability is a weakness or gap in our protection efforts, risk is the intersection of assets, threats, and vulnerabilities. Threat is a weakness or gap in our protection efforts, vulnerability is the intersection of assets and threats, risk is what we’re trying to protect against. Threat is the intersection of assets, threats, and vulnerabilities, vulnerability is a weakness or gap in our protection efforts, risk is what we’re trying to protect against. 26 / 44 What is false positive? An alert that indicates nefarious activity on a system that, upon further inspection, turns out to truly be nefarious activity. The lack of an alert for nefarious activity. An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior. All of the above. 27 / 44 A security analyst wants to capture data flowing in and out of a network. Which of the following would MOST likely assist in achieving this goal? Taking a screenshot. Analyzing network traffic and logs. Analyzing big data metadata. Capturing system image 28 / 44 _____ includes attackers who target systems for monetary gain or to cause disruption. Cybercrime Cyber attack Information threats Cyber extremism 29 / 44 A cybersecurity analyst receives a phone call from an unknown person. After starting conversation, the caller begins to request sensitive information. Which of the following techniques is being applied? Social engineering Phishing Impersonation War dialing 30 / 44 _______ is the process of researching, collecting, and analyzing data that is available from public or open sources of information. Active scanning Fingerprinting Osint gathering Web scraping 31 / 44 What is the term meaning all points or areas in a system that could be used or compromised to allow hackers entry into the system? DMZ Attack Surface Attack methdology Vulnerable Radius 32 / 44 How can malware be distributed? Found USB Stick Email Attachments Browser Plugins All of these 33 / 44 Attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware? Worm Trojan Cryptolocker Backdoor 34 / 44 Which is type of malware used to take over and link large number of computers in order to execute DDoS attack? Botnet RAT Ransomware Worm 35 / 44 Which Mitre ATT&CK™ tactic describes the process of an attacker gathering information to provide more information on the environment that they have gained access to? Defense Evasion Collection Discovery Privilege Escalation 36 / 44 An analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate Mitre Att&ck vectors? Discovery Impact Privilege escalation Defense Evasion 37 / 44 Which Mitre ATT&CK™ tactic describes an attacker’s efforts to avoid detection? Lateral Movement Execution Defense Evasion Impact 38 / 44 What is “Over Pass the Hash” attack? Bruteforcing kerberos service Changing password of domain admin Forging a kerberos ticket using a users password hash remotely Obtaining a users password 39 / 44 What type of attack can be considered if IDS rule was hit? alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Attack"; flow:to_server,established;content:"alert(document.cookie)"; nocase; sid: 1000000;) Cross site scripting SQL injection Process injection File inclusion alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Attack"; flow:to_server,established; content:"alert(document.cookie)"; nocase; sid: 1000000;) 40 / 44 What type of attack can be considered if you see logs like in access.log? X.X.X.X - [09:33:54] "GET /?C=/etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:54] "GET /?C=/etc/passwd%00 HTTP/1.1" 200 X.X.X.X - [09:33:55] "GET /?C=../../../../../../../../../etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:56] "GET /?C=/../../../../../../../../../../etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:56] "GET /?C=../../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 X.X.X.X - [09:33:57] "GET /?C=/../../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 Command injection Local file inclusion Path Traversal Remote file inclusion 41 / 44 Which single character is most likely to produce a SQL statement error: ‘ = $ NULL 42 / 44 What are the two most common phases of malware analysis? Behavioral and code analysis User and kernel mode analysis Identification and containment analysis Registry and file system analysis 43 / 44 Which of the following tools best supports the concept of breakpoints? Debugger Disassembler Sniffer Logger 44 / 44 Which of the following system calls is most likely to be used by a keylogger? GetAsyncKeyState GetProcAddress POP VirtualAllocEx