ThreatNG Security

View Original

I AM NOT A BOT Episode 7: “Passing”

This is a test. This is the test. The culmination of 15 weeks of study. The certification test. No one lives or dies when it’s done, but still …

You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase?

A. Sanitization
B. Secure Disposal
C. Reimaging
D. Setting Permissions

Ok. If you don’t know the answer, eliminate some choices. In this case, we are talking about the phases of an incident report. Namely …

  1. Preparation

  2. Identification

  3. Containment

  4. Eradication

  5. Recovery

  6. Lessons Learned

CompTIA is telling me we passed the eradication phase: rectifying the weakness that enabled the data breach to occur. Sanitation, Secure Disposal, and Reimaging are all part of the Eradication phase. Ergo … D.

Alrighty. Let’s gooooo! as Zae would say.

Which of the following is the difference between an incident summary report and a lessons-learned report?

A. An incident summary report is designed for a non-technical audience
B. A lessons-learned report is designed for a non-technical audience
C. Both a lessons learned report and an incident summary report are designed for a technical audience
D. Both a lessons learned report and an incident summer report are designed for a non-technical audience

Dangit.  For this one, I’m 50/50. These reports are definitely one or the other. They are not the same. They are not both.

They say if you can eliminate answers and get to a 50/50 proposition, then you’ve won half the battle. Problem is that you can’t really win half a battle. Or said simpler, a 50 ain’t passing. I need to do better than that.

Passing Score:                                    750 (on a scale of 100-900)

An incident summary report is designed to distribute to stakeholders to reassure them that the incident has been properly handled.

I flip the answer to see which one sounds better.

A lessons-learned report is designed to distribute to stakeholders to reassure them that the incident has been properly handled.

Both sound the same to me. What about you?

Number of Questions:                       Maximum of 85 questions
Length of Test:                                   165 minutes

That’s basically two minutes per question. Is this question worth taking the extra time? That’s the ultimate question, right? What action, reaction, moment of silence is worth the meditative pause? What is worth the OT? Who?

I guess A. An incident summary report is designed for a non-technical audience. I go with the logic that most people in charge don’t want to learn lessons. They want us plebeians to learn the lessons, make the corrections. They’d rather keep their feet off the ground. Do you agree?

Up next is a PBQ. I used to fear performance-based questions. Everyone did early on in the semester. Understandable. We didn’t know enough yet. We weren’t ready. We were naked on stage about to give the soliloquy of our lifetime.

Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this.

1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable name of the malware?

Check the logs, I remind myself. That’s the job in a nutshell. Check the history.

I look towards my dad’s diary.

My online moderator warns me to keep my eyes on my computer.

I don’t know who warned me not to take this certification test at home. Edamame? JenWA? Whoever it was, they should’ve been more assertive.

This is the second warning I’ve received. And I have no idea if I will get a third or if I will fail if I look away again. I take a breath.

On the exhale, I remember that my cohort actually reviewed this PBQ a couple of weeks ago. We found it online. Exam Topics. The number of employees who clicked on the link is obvious = 7.

However, the crowdsourced answer to the malware executable name = isass.exe, making the number of workstations affected = 6. But that makes no sense to me. Tilapia.com is the destination of the link. (Ph)Fishing email, get it? That makes mailclient.exe the executable name of the malware, which makes the workstations affected = 4.

What do I do? Stick with the crowd? Go with my gut?

This is not a rhetorical question by the way. If you’re listening … if you’re reading … watching … feel free to leave your thoughts in the space provided.

I go with my gut. Just like you would’ve done, I think to myself.

Last question.

You are reviewing the IDS logs and notice the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (where email=support@diontraining.com and password= or 7=7) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of attack is being performed?

A. Cross-site scripting
B. XML injection
C. SQL injection
D. Header manipulation

I see each word … each letter of the answer in my mind’s eye … except the answer of course.

A common technique of this attack is to insert an always-true statement, such as 1 = 1, or in this example, 7 = 7. I get that. But technique for which attack?

I can’t find a way to eliminate even one answer. Help? I have a 1 in 4 shot here, which is like no shot at all. I have 25 minutes. That’s plenty of time. I have plenty of time to mull this one over. But I need help. I need your help.

I smile as I remember my ChatGPT dad quote of the day. 

“Now, I'm so relaxed that I have to make myself nervous. I feel better when I'm second and third guessing myself over everything. I play with the mice in my head, all the time.”

My dad never wrote that of course. At least not originally. That’s what ChatGPT thinks my dad would say to me today if he could say anything today – all based on the pages of his diary I inputted into the AI.

Just before I started this exam, I found out that that was a quote from John Singleton. But that does sound like my dad. Kudos to the code miners. It sounds like something my dad would’ve said just before he couldn’t say things anymore.

Hold on, dad. This test is almost over. I’m coming to see you. I only have one more question and I’m ---

-- that’s not true, dammit, I scold myself. I’ve got a million more questions, dad. I have so much time now and I got a million more questions.

My online moderator warns me “one last time” to stop looking around my room.

The answers ain’t in this room, I don’t say to her. Off screen, I touch the mouse. And then the mousepad. And then the contours of my laptop.

“What are you doing?” my moderator asks.

I try to explain that my dad once taught me about the psychology involved in panic. He told me that the natural reaction of someone in panic mode is to retreat into one’s sub-consciousness. To escape into your mind.

To remedy that, my father said to get in touch with your surroundings. Literally. Touch things that are real. The more textured and defined the better. Stay in touch with reality.

“Your father sounds like a really great guy,” she says out of character, probably breaking her moderator code of detachment.

“You only have one question left. Let me know if you need help, but I think you got this.”

I smile. That’s nice of her, I think to myself. The kind of reassurance you used to give me, dad.

I stroke my keyboard one last time. This is what it’s going to be like now. Playing without a net. You not being there to back me up anymore.

I look at my test time. I have 23 minutes left. I think of Michael Jordan. The GOAT. That is with the exception of my father. Alpha. Omega.

I click C. It’s over.

I take another deep breath. Another deep exhale.

My moderator snaps me back to reality quickly. “Nice job. 767. You passed.”

I am taken aback at the quickness of the result.

I ask permission to turn my phone back on. She says yes. I’m greeted by a series of text alerts. Ding. Ding. Ding. I ignore them. I put my phone on silent mode.

“I hope it’s more good news,” she says with a big smile.

I know it’s not, but I smile back again at her anyway.

She continues, apologizing actually for being so stern earlier. It’s the job, she says. She needs it to finish up her graduate degree in AWS Cloud Computing.  She says she’s really a nice person if I ever got to know her.

I tell her that I believe her. I also tell her that the last thing my dad ever taught me was that it’s not the destination …

“Let me guess this time. It’s not the destination, it’s the journey?”

No … neither. It’s the company along the way.