Acronyms
SPAN
Switched port analyzer
Text to inform the responder what triggered the rule.
msg
Capturing from a network segment can be performed by a _____________
Switched port analyzer
(SPAN) port
Protocol analysis
Using statistical tools to analyze a sequence of packets, or packet trace.
Which framework assures the most comprehensive spoofing mitigation for email services?
Conformance (DMARC) framework
The Domain-based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are being utilized effectively.
TAP
Test access port
Match a new or existing TCP connection, or match regardless of TCP connection state.
flow
______ means that a device is inserted in the cabling to copy frames passing over it.
Test access port (TAP)
Percent encoding
Allows a user-agent to submit any safe or unsafe character (or binary data) to the server within the URL.
On what type of server(s) are spoofing mitigation records for common frameworks published?
DNS servers
DGA
Domain generation algorithm
Match an entry in an attack database, such as CAPEC or ATT&CK.
reference
____ is a command-line packet capture utility for Linux.
Tcpdump
Firewalking
A means of determining a router or firewall's ACL and mapping the internal network from the outside, or conversely discovering which outbound port and source address combinations are permitted.
Is any other type of server other than SMTP required to implement S/MIME?
Secure/Multipurpose Internet Mail Extensions (S/MIME) requires that the user is issued a digital certificate containing his or her public key, signed by a certificate authority (CA) server.
WAF
Web application firewall
Apply a rate limiter to the rule by only triggering it if a threshold of events is passed over a particular duration.
track
_____ is an open-source graphical packet capture utility, with installer packages for most operating systems.
Wireshark
Black hole
Drops traffic before it reaches its intended destination, and without alerting the source.
What are the principal techniques for reverse assembling malware code?
The binary machine code can be disassembled to assembly code and potentially decompiled to high-level pseudocode. Another technique is to extract strings from the process image.
IDS
Intrusion detection system
Give the rule a unique ID and provide version information.
sid and rev
_____ refers to deep-down frame-by-frame scrutiny of captured frames using a tool such as Wireshark.
Packet analysis
Reverse proxy
Provides for protocol-specific inbound traffic.
You suspect that a host is infected with malware but cannot identify a suspect process using locally installed tools. What is your best course of action?
Contain the host within a sandbox for further analysis. The best approach is to monitor the host for outbound network connection attempts. If the host attempts to connect to suspicious domains or IP address ranges, you can identify the process responsible.