Logical Operations Certification Exam Objectives: CF1-210

Transcription

1 Lgical Operatins Certificatin Exam Objectives: CF1-210 **Nte: CF1-210 is the exam number designatin fr the CFR-210 beta exam. Once live, the exam will be designated CFR-210. INTRODUCTION The table belw lists the dmains measured by this examinatin and the apprpriate extent t which they are represented. Dmain % f Examinatin 1.0 Threat Landscape 25% 2.0 Passive Data Driven Analysis 27% 3.0 Active Asset and Netwrk Analysis 28% 4.0 Incident Respnse Lifecycle 20% Ttal 100% **Nte: The lists f examples prvided in bulleted frmat belw each bjective are nt exhaustive lists. Other examples f technlgies, prcesses r tasks pertaining t each bjective may als be included n the exam althugh nt listed r cvered in this bjectives dcument. (A list f acrnyms used in these Objectives appears at the end f this dcument.)

2 1.0 Threat Landscape 1.1 Cmpare and cntrast varius threats and classify threat prfiles Threat actrs Script kiddies Recreatinal hackers Prfessinal hackers Hacktivists Cyber criminals State spnsred hackers Terrrists Insider Threat mtives Desire fr mney Desire fr pwer Fun/thrill/explratin Reputatin/recgnitin Assciatin/affiliatin Threat intent Blackmail Theft Espinage Revenge Hacktivism/plitical Defamatin f character Attack vectr Vulnerabilities Explits Techniques Technique criteria Targeted / nn-targeted Direct / indirect Stealth / nn-stealth Client-side / server-side Understanding qualitative risk and impact 1.2 Explain the purpse and use f attack tls and techniques Ftprinting Open surce intelligence Clsed surce intelligence Scanning Prt scanning Vulnerability scanning Targeted vulnerability scanners vs. general vulnerability scanners Netwrk scanning

3 Web app scanning Enumeratin User enumeratin Applicatin enumeratin enumeratin War dialing Gaining access Explitatin framewrks Client side attacks Applicatin explits Brwser explits Server side attacks Mbile Malicius apps Malicius texts Hijacking/rting Web attacks CSRF SQL injectin Directry traversal LFI/RFI Cmmand injectin Passwrd attacks Passwrd cracking Brute frcing Passwrd guessing Passwrd dictinary Rainbw tables Passwrd sniffing Wireless attacks Wireless cracking Wireless client attacks Infrastructure attacks Scial Engineering Man-in-the-middle ARP spfing ICMP redirect DHCP spfing NBNS spfing Sessin hijacking DNS pisning Malware Trjan Malvertisement Virus Wrm Out f band OEM supply chain Watering hle Denial f Service DDS LOIC/HOIC

4 Resurce exhaustin Frced system utage Packet generatrs 1.3 Explain the purpse and use f pst explitatin tls and tactics Cmmand and cntrl IRC HTTP/S DNS Custm channels ICMP Data exfiltratin Cvert channels File sharing services Pivting VPN SSH tunnels Ruting tables Lateral mvement Pass the hash Glden ticket psexec wmic Remte access services Persistence / maintaining access Rtkits Backdrs Hardware backdr Rgue accunts Lgic bmbs Keylgging Anti-frensics Glden ticket Buffer verflws against frensics tls Packers Virtual machine detectin Sandbx detectin ADS Shredding Memry residents Cvering yur tracks Lg wipers 1.4 Explain the purpse and use f scial engineering tactics Phishing Phishing variatins Spear phishing Whaling Vishing Delivery mediums IM

5 Pst card Text QR cde Scial netwrking sites Cmmn cmpnents Spfing messages Rgue dmains Malicius links Malicius attachments Shulder surfing Tailgating Face-t-face interactin Fake prtals/malicius websites 1.5 Given a scenari, perfrm nging threat landscape research and use data t prepare fr incidents. Latest technlgies, vulnerabilities, threats and explits Utilize trend data t determine likelihd and threat attributin New tls / preventin techniques Data gathering / research tls Jurnals Vulnerability databases Bks Blgs Intelligence feeds Security advisries Scial netwrk sites Cmmn targeted assets Financial infrmatin Credit card numbers Accunt infrmatin Intellectual Prperty PHI PII 2.0 Passive Data-Driven Analysis 2.1 Explain the purpse and characteristics f varius data surces Netwrk-based Device cnfiguratin file(s) Firewall lgs WAF lgs IDS/IPS lgs Switch lgs Ruter lgs Carrier prvider lgs Prxy lgs Wireless WAP lgs WIPS lgs

6 Cntrller lgs Netwrk sniffer Packet capture Traffic lg Flw data Device state data CAM tables Ruting tables NAT tables DNS cache ARP cache Hst-based System lgs Service lgs SSH lgs Time Crypt prtcl User Success/failure HTTP lgs HTTP methds (get, pst) Status cdes Headers User agents SQL lgs Access lgs Query strings SMTP lgs FTP lgs DNS lgs Suspicius lkups Suspicius dmains Types f DNS queries Windws event lgs App lg System lg Security lg Linux syslg Applicatin lgs Brwser HIPS lgs AV lgs Integrity checker Vulnerability testing data Third party data Autmated / sftware testing prgrams 2.2 Given a scenari, use apprpriate tls t analyze lgs Lg analytics tls Linux tls grep cut

7 diff Windws tls Find WMIC Event viewer Scripting languages Bash Pwer shell Lg crrelatin SIEMs 2.3 Given a scenari, use regular expressins t parse lg files and lcate meaningful data Search types Keywrd searches IP address searches Special character searches Prt number searches Search peratrs & ~ r! -. *? + ( ) [ ] $ ^ \ Special peratrs \W \w \s \D \d \b \c 3.0 Active Asset and Netwrk Analysis 3.1 Given a scenari, use Windws tls t analyze incidents Registry REGEDIT Key, Hives, Values, Value types HKLM, HKCU REGDUMP AUTORUNS Netwrk

8 Wireshark fprt netstat ipcnfig nmap tracert net nbtstat File system dir pe explrer disk utilizatin tl Prcesses TLIST PROCMON Prcess explrer Services Services.msc Mscnfig Net start Task scheduler Vlatile memry analysis Active Directry tls 3.2 Given a scenari, use Linux-based tls t analyze incidents Netwrk nmap netstat wireshark tcpdump tracerute arp ifcnfig File system lsf iperf dd disk utilizatin tl Prcesses htp tp ps Vlatile memry free Sessin management w,wh rwh lastlg 3.3 Summarize methds and tls used fr malware analysis Methds

9 Sandbxing Virtualizatin Threat intelligence websites Crwd surce signature detectin Virus ttal Reverse engineering tls IDA Ollydbg General tls strings Antivirus Malware scanners 3.4 Given a scenari, analyze cmmn indicatrs f ptential cmprmise Unauthrized prgrams in startup menu Malicius sftware Presence f attack tls Registry entries Excessive bandwidth usage Off hurs usage New administratr/user accunts Guest accunt usage Unknwn pen prts Unknwn use f prtcls Service disruptin Website defacement Unauthrized changes/mdificatins Suspicius files Recipient f suspicius s Unauthrized sessins Failed lgins Rgue hardware 4.0 Incident Respnse Lifecycle 4.1 Explain the imprtance f best practices in preparatin fr incident respnse Preparatin and Planning Up-t-date cntact lists Up-t-date tlkit Onging training Incident respnder Incident respnse team Management Tabletp (theretical) exercises Cmmunicatin methds Secure channels Out f band cmmunicatins Organizatinal dcumentatin Plicies Prcedures

10 Incident respnse plan Escalatin prcedures Chain f cmmand Industry standards fr incident respnse 4.2 Given a scenari, execute incident respnse prcess Preparatin Identificatin Detectin / analysis Cllectin Cntainment Eradicatin Recvery Pst incident Lessns learned Reprting & dcumentatin 4.3 Explain the imprtance f cncepts that are unique t frensic analysis Authrizatin t cllect infrmatin Legal defensibility Chain f custdy Legally cmpliant tls Encase FTK Frensics explrer Cnfidentiality Evidence preservatin and evidence security Digital Imaging Hashing Physical Secure rms and facilities Evidence bags Lck bxes Law enfrcement invlvement 4.4 Explain general mitigatin methds and devices Methds System hardening Deactivate unnecessary services Patching Updating internal security devices Reprt malware signatures Custm signatures Blck external surces f malware DNS filtering Blackhle ruting System and applicatin islatin Mbile device management Applicatin whitelist Devices Firewall

11 WAF Switch Ruters Prxy Virtual Machine Mbile Desktp Server CyberSec First Respnder ACRONYMS Acrnym ADS ARP AV BASH CAM CSRF DDS DHCP DNS FTK FTP GREP HIPS Definitin Alternate Data Stream Address Reslutin Prtcl Antivirus Burne Again Shell Cntent Addressable Memry Crss-site Request Frgery Distributed Denial f Service Dynamic Hst Cnfiguratin Prtcl Dmain Name System Frensic Tl Kit File Transfer Prtcl Glbal Regular Expressin Print Hst Intrusin Preventin System

12 HKCU HKLM HOIC HTTP HTTPS ICMP IDS IM IP IPS IRC LFI LOIC LSOF NAT NBNS NIPS OEM PE PHI PII QR RFI SIEM SMTP SQL SSH VPN WAF WAP WIPS WMIC Hst Key Current User Hst Key Lcal Machine High Orbit In Cannn Hyper Text Transfer Prtcl Hyper Text Transfer Prtcl Secure Internet Cntrl Message Prtcl Intrusin Detectin System Instant Message Internet Prtcl Intrusin Preventin System Internet Relay Chat Lcal File Inclusin Lw Orbit In Cannn List Open Files Netwrk Address Translatin NetBIOS Name Service Netwrk Intrusin Preventin System Original Equipment Manufacturer Prtable Executable Prtected Health Infrmatin Persnally Identifiable Infrmatin Quick Respnse Remte File Inclusin Security Infrmatin Event Management Simple Mail Transfer Prtcl Structured Query Language Secure Shell Virtual Private Netwrk Web Applicatin Firewall Wireless Access Pint Wireless Intrusin Preventin System Windws Management Instrumentatin Cmmand Line