AM I READY FOR AEGIS

Am I Ready for AEGIS?

1 / 44

Where are you from?

2 / 44

What is your education level?

High School

Associate

Bachelor

Master

Doctorate

3 / 44

What is your current title?

4 / 44

What Industry do you work in?

5 / 44

How many years experience do you have in your field?

0-1

1-3

3-5

6 / 44

Since the cyberthreat landscape evolves continuously, do you consider yourself as an eager listener and an ongoing learner?

Yes

False

7 / 44

Do you think you have the ability to not lose sight of the forest for the trees, yet still to be able to see the trees?

Yes

8 / 44

Do you have any previous experience with SIEM products, elastic search or log collection?

Yes

9 / 44

Do you have a scripting experience?

Yes

10 / 44

Which of following command give you output of user shells and counts?

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin

awk -F: ' {print $5} ' /etc/passwd | sort -n | uniq

awk /etc/passwd -F: ‘ { print $6 } ‘ | sort -u | uniq -c

awk -F: ' {print $7} ' /etc/passwd | sort | uniq -c

awk -F: ' {print $7} ' /etc/passwd | sort -nr | uniq -d

11 / 44

Which Bash command syntax will execute regardless of whether the previous command fails?

tar -c dir -xvf file.tar || cd dir

mkdir $HOME/test && cat /etc/passwd

tar -C dir -xvf file.tar &| cd dir

mkdir $HOME/test |& cat /etc/passwd

12 / 44

Which keyboard shortcut let you search bash history?

Esc + R

Ctrl + H

Ctrl + R

Alt + R

13 / 44

You want to find credentials in files on Windows and Linux operating systems. Which command syntax can you use to find the text “passwords” inside of files?

Get-ChildItem -Recurse . | Select-String -Pattern "assw" | Select-Object -Unique Path

find . -readable -type f -exec grep -iH --include=*.{txt,php,conf} 'assw' {} \;

for i in `ls -p | grep -v /`; do grep -iH "assw" $i; done

All of the above

14 / 44

Which of the following technologies is NTLM associated with?

SAML

Active Directory

OAuth

RADIUS

15 / 44

From which log source it is possible to detect directory traversal attacks on apache?

kern.log

auth.log

mysql.log

access.log

16 / 44

Which of the following utilities, found in most versions of Linux, is useful for scheduling recurring tasks?

cron

whois

scp

oscap

17 / 44

For reviewing syslogs, which directory should be checked for most Linux distros?

/home/log

/var/log

/log

/var/syslog

18 / 44

Using which source it is possible to detect process injection Windows API requests?

Eventlog

Sysmon

IIS Application logs

Powershell scriptblock logging

19 / 44

Which one of the following protocols is used to collect information from all the network devices?

Simple Network Management Protocol (SNMP)

Network File system (NFS)

Internet Control Message Protocol (ICMP)

Transmission Control Protocol (TCP)

20 / 44

IP fragmantation occurs when:

The receiver is not ready for all the data from the sender.

When there are more bytes in the IP packet than the size of the Maximum Transmission Unif of all links from sender to receiver.

When there are more bytes in the IP packet than the size of the receiving TCP Windows.

When there are more bytes in the payload that follows the IP header than the size of the Maximum Transmission Unif of all links from the sender to receiver.

21 / 44

The Time to Live (TTL) field/value found in the IP header are used to:

Make sure all associated fragments arrive with a given window of time.

Expire TCP segments in transit when the TTL value becomes 0

Flush DNS records from cache when the TTL value is exceeded

Expire IP packets in transit when the TTL value becomes 0

22 / 44

Suppose a SYN packet is spoofed using a real IP address and then sent to a server that responds with a SYN/ACK to the actual IP address. How does the real IP address respond?

With an acknowledgement since it did not send the SYN

With a reset since it did not send the SYN

With a duplicate SYN since it did not send the SYN

With a TTL of 0 since it did not send the SYN

23 / 44

Which type of Windows log is most likely to contain information about a file being deleted?

httpd logs

Security logs

System logs

Configuration logs

24 / 44

Why are humans still the weakest link is cyber security?

Threat actors spend their days thinking of new ways to exploit human vulnerabilities and are rewarded for their innovation.

Average people do not spend all their time thinking about security and may feel powerless in preventing attacks.

Cybersecurity practitioners may be the only people at their organizations who spend their workdays focused on prevention, protection and mitigation activities.

All of the above.

25 / 44

What is risk, vulnerability and threat?

Threat is the intersection of assets, threats, and vulnerabilities, vulnerability is what we’re trying to protect against, risk is a weakness or gap in our protection efforts.

Threat is what we’re trying to protect against, vulnerability is a weakness or gap in our protection efforts, risk is the intersection of assets, threats, and vulnerabilities.

Threat is a weakness or gap in our protection efforts, vulnerability is the intersection of assets and threats, risk is what we’re trying to protect against.

Threat is the intersection of assets, threats, and vulnerabilities, vulnerability is a weakness or gap in our protection efforts, risk is what we’re trying to protect against.

26 / 44

What is false positive?

An alert that indicates nefarious activity on a system that, upon further inspection, turns out to truly be nefarious activity.

The lack of an alert for nefarious activity.

An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.

All of the above.

27 / 44

A security analyst wants to capture data flowing in and out of a network. Which of the following would MOST likely assist in achieving this goal?

Taking a screenshot.

Analyzing network traffic and logs.

Analyzing big data metadata.

Capturing system image

28 / 44

_____ includes attackers who target systems for monetary gain or to cause disruption.

Cybercrime

Cyber attack

Information threats

Cyber extremism

29 / 44

A cybersecurity analyst receives a phone call from an unknown person. After starting conversation, the caller begins to request sensitive information. Which of the following techniques is being applied?

Social engineering

Phishing

Impersonation

War dialing

30 / 44

_______ is the process of researching, collecting, and analyzing data that is available from public or open sources of information.

Active scanning

Fingerprinting

Osint gathering

Web scraping

31 / 44

What is the term meaning all points or areas in a system that could be used or compromised to allow hackers entry into the system?

DMZ

Attack Surface

Attack methdology

Vulnerable Radius

32 / 44

How can malware be distributed?

Found USB Stick

Email Attachments

Browser Plugins

All of these

33 / 44

Attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware?

Worm

Trojan

Cryptolocker

Backdoor

34 / 44

Which is type of malware used to take over and link large number of computers in order to execute DDoS attack?

Botnet

RAT

Ransomware

Worm

35 / 44

Which Mitre ATT&CK™ tactic describes the process of an attacker gathering information to provide more information on the environment that they have gained access to?

Defense Evasion

Collection

Discovery

Privilege Escalation

36 / 44

An analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate Mitre Att&ck vectors?

Discovery

Impact

Privilege escalation

Defense Evasion

37 / 44

Which Mitre ATT&CK™ tactic describes an attacker’s efforts to avoid detection?

Lateral Movement

Execution

Defense Evasion

Impact

38 / 44

What is “Over Pass the Hash” attack?

Bruteforcing kerberos service

Changing password of domain admin

Forging a kerberos ticket using a users password hash remotely

Obtaining a users password

39 / 44

What type of attack can be considered if IDS rule was hit?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Attack"; flow:to_server,established;content:"alert(document.cookie)"; nocase; sid: 1000000;)

Cross site scripting

SQL injection

Process injection

File inclusion

40 / 44

What type of attack can be considered if you see logs like in access.log?

X.X.X.X - [09:33:54] "GET /?C=/etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:54] "GET /?C=/etc/passwd%00 HTTP/1.1" 200 X.X.X.X - [09:33:55] "GET /?C=../../../../../../../../../etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:56] "GET /?C=/../../../../../../../../../../etc/passwd HTTP/1.1" 200 X.X.X.X - [09:33:56] "GET /?C=../../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 X.X.X.X - [09:33:57] "GET /?C=/../../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200

Command injection

Local file inclusion

Path Traversal

Remote file inclusion

41 / 44

Which single character is most likely to produce a SQL statement error:

‘

NULL

42 / 44

What are the two most common phases of malware analysis?

Behavioral and code analysis

User and kernel mode analysis

Identification and containment analysis

Registry and file system analysis

43 / 44

Which of the following tools best supports the concept of breakpoints?

Debugger

Disassembler

Sniffer

Logger

44 / 44

Which of the following system calls is most likely to be used by a keylogger?

GetAsyncKeyState

GetProcAddress

POP

VirtualAllocEx