Cybersecurity Incident and Network Basics

Questions and Answers

What must be obtained before reproducing or distributing contents from this document?

No permission required

Verbal agreement

Public domain rights

Express prior written permission (correct)

Which part of an HTTP URI specifies the protocol used?

Scheme (correct)

Query

Path

Host

What is the default port for HTTP requests?

8080

21

80 (correct)

443

In what scenario would a POST request be more suitable than a GET request?

To send a signup form (D)

What component follows the path in an HTTP URI and allows passing parameters?

Query (A)

Which of the following HTTP methods is NOT commonly implemented by servers?

SEND (D)

What do HTTP headers consist of?

Multiple key-value pairs (B)

Which part of a query string is used by Google to represent what is being searched?

q parameter (C)

What is displayed in the first pane of the Wireshark interface?

Captured frames sorted by time (C)

Which protocols can be encapsulated within a frame as shown in the second pane?

Ethernet, IPv4, TCP, and HTTP (C)

What type of data representation is provided in the third pane of Wireshark?

Combined textual and hexadecimal representation (B)

How is hexadecimal data represented in Wireshark?

By converting 4 bits to a single character from 0 to F (C)

What is the purpose of using the display filter in Wireshark?

To filter frames based on specific criteria (C)

What would the filter 'ip.dst == 192.168.1.3' achieve in Wireshark?

It only displays frames with a specific destination IP address (D)

Which logical operators can be combined with filters in Wireshark?

AND/OR (D)

Which of the following best describes the overall functionality of Wireshark?

To capture and analyze network traffic in real-time (D)

What is the format of an IP address?

Four groups of numbers from 0 to 255 (C)

What does the broadcast IP address typically end with?

.255 (A)

Which of the following ranges represents multicast IP addresses?

224.0.0.0 to 224.0.0.255 (A)

What should be true for an IP address to be classified as public?

It must be assigned uniquely to a certain device (A)

What is the significance of private IP addresses?

They can be duplicated in different networks. (D)

Which of the following is NOT a range of private IP addresses?

200.100.0.0 – 200.100.255.255 (A)

What must protocols in a network contain to reach their intended recipient?

An IP address and specific addressing information (B)

What happens to a device that subscribes to a multicast address?

It can accept messages sent to that multicast IP. (D)

What is the primary purpose of the 'User Agent' header?

To convey information about the requesting client. (B)

What does a User Agent string allow the server to do?

Respond differently based on the type of client accessing the server. (D)

Which component is NOT typically included in a User Agent string?

Client's geographical location (A)

What should one do with the document without express prior written permission from Red Alpha Cybersecurity?

Manufacture or sell any products described in it. (A), Store it in a publicly accessible archive. (C), Reproduce, disclose, or distribute its contents. (D)

What information does the HTTP response provide?

Whether the request was handled successfully. (C)

What is the effect of HTTP response codes?

They indicate the success or failure of an HTTP request. (C)

What type of document is described in the content?

Proprietary document. (A)

Why is the information extracted from a User Agent string valuable?

It helps analyze HTTP network traffic and understand client devices. (B)

What is the significance of a public IP address for an internet network?

It enables a device to be accessible via the Internet. (C)

Which of the following statements about MAC addresses is true?

The first three groups of a MAC address identify the manufacturer. (B)

What is the format of a Broadcast MAC address?

FF-FF-FF-FF-FF-FF (C)

Why are port numbers important in network communication?

They identify specific running applications that can receive packets. (C)

Which of the following correctly describes multicast MAC addresses?

They start with a specific prefix, such as 01-80-C2. (B)

What is an OUI in the context of MAC addresses?

The first three groups of a MAC address indicating the manufacturer. (C)

What happens if a device has a private IP address?

It cannot be reached via the Internet. (C)

In a valid MAC address format, which components can represent the values?

Digits 0-9 and letters A-F. (A)

What is the main purpose of DNS in internet browsing?

To translate domain names into IP addresses (D)

What type of query does a DNS client send to get an IP address?

DNS request (B)

What does a DNS reply include in its response?

The request and the corresponding IP address (C)

In the context of online gaming, how does DNS function?

It assists in locating the game server by resolving its domain name (A)

Which statement is true regarding DNS queries and HTTPS communications?

DNS queries reveal which sites are visited before an HTTPS request. (A)

How does the structure of a DNS reply differ from a DNS query?

It contains the original query along with the answer. (A)

What is indicated when a computer shuts down while browsing and a network sniffer is running?

The sniffer can capture traffic only when the computer is on. (C)

Why is DNS crucial for human usability in Internet browsing?

It translates complicated domain names into user-friendly formats. (A)

Study Notes

Cybersecurity Incident Basics

• Every cybersecurity incident starts with a motivated attacker.
• Attackers' motives can include money, power, fame, or revenge.
• Targets can be individuals, companies, organizations, or countries.
• Internet-connected networks are often used for attacks.
• Malware infection and control are intermediate steps for attackers.
• Attackers often extract data through the same network they used for the attack.
• Network forensics helps understand attack origins, data leaks, and attackers' motives.

Network Packets and Protocols

• Network packets carry various types of information similarly to letters.
• Envelopes in a network are called packets, and the information type is referred to as the application protocol.
• Addresses (IP and MAC) in networks ensure correct recipient delivery.
• IP addresses are four-part number groups (0-255) and are network-dependent.
• Broadcast IP addresses are meant for all network devices, while multicast addresses are targeted.
• Private IP addresses (e.g. 10.0.0.0-10.255.255.255, 192.168.0.0-192.168.255.255, 172.16.0.0-172.31.255.255) are not unique to a specific device.
• Public IP addresses must be unique.
• MAC addresses are unique to network hardware and cannot be changed.

MAC Addresses and Special Addresses

• MAC addresses are fixed hardware addresses in a specific format (XX-XX-XX-XX-XX-XX).
• Organization Unique Identifiers (OUIs) identify manufacturers.
• Broadcast MAC addresses (FF-FF-FF-FF-FF-FF) will be received by all devices on a network.
• Multicast MAC addresses start with a specific prefix and are used for specific communication.

Ports and Application Protocols

• Port numbers range from 1 to 65,535 and identify specific applications.
• They allow network packets to be routed to the correct application.
• Popular Protocols: HTTP, DNS, TCP
• HTTP servers are located on ports 80 or 443.
• DNS translates domain names to IP addresses.

Network Packet Analysis with Wireshark

• Wireshark is a network traffic monitoring and analysis tool.
• It logs network traffic, including malicious activity, and allows offline analysis of packet capture files (PCAP).
• It can analyze network traffic in real-time or through existing PCAP files.

Wireshark Analysis

• Wireshark displays captured frames categorized by protocols (Ethernet, IP, TCP, HTTP).
• It enables sorting, filtering, and focusing on specific data by protocol and address.
• Filters like ip.dst == [IP address] allow targeting specific network traffic based on destination IP

HTTP Protocols

• HTTP is a client/server protocol where clients send requests, and servers respond.
• HTTP requests include the type of request, desired resources, or commands.
• HTTP headers provide additional information about the request.
• Common header fields include "User-Agent," which reveals client information (e.g., browser, OS).
• HTTP responses indicate whether a request was successful (e.g., 200 OK), redirected, or resulted in a client or server error.
• HTTP protocol uses numbered codes to report success or failure.

DNS Lookups

• DNS translates domain names to IP addresses.
• DNS servers help resolve domain names to IP addresses during internet browsing.
• DNS requests are typically sent before HTTP requests.

Guided Example

• John's network investigation involves examining IP addresses, MAC addresses, operating systems, and browsers, examining a PCAP file, using Wireshark's statistical tools.
• Public and private IPs are identified and special IPs (e.g., broadcast and multicast) are separated out
• MAC addresses and their associated OUI (Organization Unique Identifier) groups are examined as real devices or broadcast addresses/multicast are separated.

Description

Explore the fundamentals of cybersecurity incidents and understand the importance of network packets and protocols. This quiz covers motivations behind attacks, the role of malware, and the use of network forensics. Test your knowledge on how addresses work within networks and the types of information carried by packets.