June 12, 2025 • 25 mins
Security professionals face a constant battle to keep up with evolving threats, and our latest CISSP Question Thursday podcast delivers critical insights into one of the most fundamental cybersecurity capabilities: effective logging and monitoring.
The episode begins with a warning about a sophisticated attack campaign targeting recruiters. The hacker group FIN6 (Skeleton Spiders) has been creating fake candidate profiles with malware-laced resume attachments, tricking HR professionals into downloading zip files containing the "More Eggs" JavaScript backdoor. This social engineering tactic exploits normal recruiting workflows to steal credentials and gain network access. We discuss why security teams must partner with recruitment departments to develop specialized awareness training and technical controls to address this growing threat.
Diving into CISSP Domain 7.2, we explore fifteen practical questions about logging and monitoring implementations. We cover critical distinctions between detection and prevention technologies, explaining why deep packet inspection is essential for identifying encrypted command and control communications over HTTPS. We examine why log integrity and non-repudiation are paramount when logs may serve as legal evidence, and why HR data provides crucial context for User and Entity Behavior Analytics (UEBA) systems trying to identify insider threats.
For those implementing Network Intrusion Prevention Systems, we emphasize the importance of deployment in detection-only mode for extended tuning periods before enabling blocking capabilities. We examine why mean time to respond (MTTR) to critical incidents provides the most holistic metric for evaluating security operations effectiveness, and why automated ingestion of threat intelligence feeds delivers the most value for continuous monitoring objectives.
This episode balances technical depth with practical implementation guidance, making it valuable for both CISSP candidates preparing for the exam and practicing security professionals looking to strengthen their monitoring capabilities. Visit CISSP Cyber Training for access to all our training materials and sign up for 360 free practice questions to accelerate your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:24):
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training and hope
you all are having a beautifullyblessed day today.
Today is yes, you guessed itCISSP Question Thursday, and
this is the follow-on to what wetalk about on the Monday
podcast related to Domain 7.2.
And this was around logging andmonitoring.
(00:45):
So if you listen to the podcaston Monday, a lot of the
questions that we talk abouttoday are going to be related to
that specific content ingeneral.
So that's the benefit of it,right, you get Mondays, you get
the training, thursdays, you getpodcasts, or you actually
should say you get questions.
So questions follow on afterthe overall training.
So it good stuff.
So, that being said, you know,obviously cissp cyber training
(01:06):
has got all the content youcould want.
If you just head on over tocissp cyber training, you can
get all of that and get it all.
Everything I'm talking aboutcan be all accessed available to
you.
But before we talk about thequestions for today, we are
going to talk about, realquickly, an article that I saw
in the Register and what it is.
It was kind of actuallyinteresting.
(01:27):
It's interesting in a sad way,these hackers, basically from
the group FIN6, right, which isSkeleton Spiders the name of
them, and they are using variouscapabilities to go and target,
as you could possibly guess,recruiters.
(01:48):
Right, because recruiters arelooking for candidates to be
able to fill these job roles.
Well, what do these guys do?
Yeah, they basically set upfake locations for these
recruiters to go to to downloada air quotes, resume or other
kind of documentation, of whichit then has laced with some
level of malware.
In this case, here they'reusing a zip file that contains a
(02:09):
basically a shortcut thatexecutes the more eggs
JavaScript backdoor and it'sbasically ends up going adding
credential theft from thosesystems.
So, as you know, you have arecruiter, a recruiter goes out
hey, I've got this portfolio,I've got some resumes.
They go to it, they downloadgot this portfolio, I've got
some resumes.
They go to it, they downloadthose resumes, they open up the
(02:31):
zip file and the executablekicks off.
So it's a bit of a challenge,right?
So if you're a recruiter,you're just going.
What in the world is going on?
And this, unfortunately,they're stealing these
recruiters' information and thenfrom there they go and they go
after the company that therecruiter works for.
So a lot of interesting thingsthat are happening in security.
So one of the main takeaways onall this is, if you are a
recruiter looking for anybody,it doesn't even have to be an IT
(02:53):
.
If you're looking for someoneto basically be a welder, you
want to make sure that you arepaying attention to who is
actually providing you thisinformation.
You need to avoid as much asyou can unsolicited requests and
going hey, here's my resume,check it out.
You need to be very carefulwith those kinds of aspects.
You also need to make sure thatif you're a recruiter, or if
(03:15):
you're a security professionalthat has recruiters that work
with you guys, you need to makesure you talk to them about how
can they protect themselvesthrough some level of security
awareness training, and youcould provide that to them.
Around what are some fakecandidates?
What would this look like?
What are some telltale signsaround that?
And you may not know as asecurity professional.
So you may have to work with HRand your recruiter folks to
(03:37):
understand what is the typicalprocess by which they would
normally reach out to ITprofessionals or any
professional of that in general.
So something really importantto think on that.
The other aspect is ensuringthat you have email filtering
and your malware defenses arealso up and operational.
So that's kind of the whole bigthing that came out of that
article.
I think you should go check itout and read it.
(03:57):
If anything, I would send it onto your recruiters within your
organization and just say, hey,let's have a conversation about
this and see what we can come upwith together.
Again, I talk about this inCISSP cyber training.
A lot it really truly comesdown to is building those
relationships with individualswithin your organization, within
(04:17):
your company, aroundcybersecurity.
They don't understand it.
You are the expert, but youcan't get done anything you need
to get done without theirassistance.
So this is a really goodopportunity for you to be able
to reach out to them and say,hey, how can we partner together
to fix this problem?
So just something to consider.
Great, I think it's a greatarticle to ship to them HR
(04:39):
recruiters, all of those folksand say, hey, again, let's have
a conversation and see what wecan do about this together.
Okay, so let's get on to thequestions for this week.
Okay, again, this is group nine.
At CISSP Cyber Training, you canget access to all these
questions Again.
Just purchase the products thatwe have out there and they will
be available to you.
Or you can go check out thefree stuff.
(05:00):
Right, I've got all thiscontent is available in some
form or fashion in a free format.
May free stuff right, I've gotall this content is available in
some form or fashion in a freeformat.
May not be exactly what youneed, but a lot of it is out
there and available.
So you can go to CISSP CyberTraining, go to my blog.
Lots of free stuff that will bethere.
This will be posted out thereat some point in time here in
the near future.
So, again, that's another goodplace you can get this
information.
You can also get it fromYouTube as well.
(05:20):
So lots of places that you canget all this.
The bottom line is I want toprovide you with the tools you
need so that you can besuccessful in passing the CISSP
and the fact that you understandcybersecurity as a whole.
Okay, so let's get intoquestion one Question one a
financial institution aims todetect sophisticated unknown
malware attempting to establishoutbound command and control, or
(05:43):
C2, communications using commonports, ie HTTPS as an example.
Which combination of continuousmonitoring capabilities offers
the most again, key term mosteffective detection strategy for
this particular threat.
Okay, so you've got somelooking for command and control
over HTTPS.
So what is the most effectivedetection strategy?
(06:05):
A signature-based IDSs withreal-time log aggregation,
periodic vulnerability scans andthreat intelligence on
indicators of compromise feeds,or IOCs egress monitoring with
deep packet inspection, dpi andbehavioral analysis.
Or the last one is user andentity behavior analysis or ueba
(06:27):
with active directory changelogs.
Again, so you're lookingcommand and control https.
Https is a key giveaway thereand the answer is c egress
monitoring with deep packetinspection and behavioral
analytics.
You're going to have to havethe ability to decrypt that
traffic and you're going to needDPI or deep packet inspection
(06:48):
to make that happen.
Question two A securityoperations center relies heavily
on its SIEM, or the SecurityIncident Event Manager, for
threat detection.
To enhance the SIEM's abilityto identify previously unseen or
polymorphic malware, which ofthe following threat
intelligence types would be mostvaluable for developing a new
(07:09):
correlation rules?
Okay, there's a lot of amouthful in there.
There's a lot of stuff going on.
But you got a sim you want tofigure out.
It's looking for polymorphic Ican't say the word morphic
malware, and then you're alsolooking to develop what are the
correlation rules.
So what are the feeds?
You're looking for A tacticalthreat intelligence on adversary
tactics, techniques andprocedures, or TTPs.
(07:30):
B strategic threat intelligenceon geopolitical motivations.
C raw indicator on indicatorsof compromise feeds such as IP
addresses and domains, or D opensource intelligence on recent
data breaches.
Again, we're focused onsomething very specific
polymorphic malware and theanswer would be a tactical
threat intelligence on adversaryttps.
(07:52):
This would be the main one youwould want to go after.
Question three an organization'scompliance framework mandates
strong audit trails for allcritical systems.
Which log management principleis most essential to ensure that
logs can be used reliably forforensics analysis and to stand
up in a court of law?
(08:13):
Okay, so again we're talkingabout a compliance framework.
Which log management principleis most essential when you're
looking for reliability offorensics analysis?
A log aggregation to a centralrepository.
B long-term log retention.
C log normalization or D logintegrity and non-repudiation,
(08:34):
and the answer is D.
Right, so the main point aroundthis is that when you're
dealing with log integrity andnon-repudiation, it needs to be
admissible in a court, and so,therefore, the evidence must be
non-repudiated.
They must be able to say it'swithout whatever happened with
it.
No one tampered with it, no,had any issues with it.
That is the key term thatyou're going to be focused on,
(08:55):
especially when you're dealingwith analysis, to stand up in a
court of law.
Question four UEBA solutionflags and executives account for
high risk behavior, showinglogins from unusual locations,
followed by access to sensitivefinancial data and then attempts
to access dormant accounts.
That does not seem right.
(09:15):
Okay, not good.
The executive claims these arelegitimate actions.
What is the most crucialfollow-up action for the
security team beyond the directcommunication with the executive
?
Beyond the direct communicationwith the executive?
A block the executive's accountimmediately and globally.
B cross-reference UEBA alertswith other security logs, such
(09:35):
as your SIM, your network, even.
What's HR?
And why would HR be important?
Yeah, maybe because they'regetting fired, or for contextual
validation.
C conduct a forensics image ofthe executive's endpoint.
Or D adjust the UEBA baselinefor executives to reduce the
false positives.
Okay, and which one is the mostcrucial follow-up?
(09:56):
It would be B.
Right, you want to double checkwith all the other log sources
to make sure that, yes, thisperson is doing what they're
supposed to be doing, and HR, Ibelieve, is a very crucial part
in all of this.
Again, you're going to have tohave most likely the cone of
silence when you talk about thisbut you don't know.
I've dealt with it myself whereI've had executives senior
level executives be let go andwhen they're let go, what
(10:18):
happens?
Their accounts are terminatedvery quickly.
But before we let them go, whatdid we do?
We did a little bit of snoopingto make sure that they're not.
They didn't send stuff home andbecause they were in touch with
a lot of very sensitiveinformation.
Okay, question five which of thefollowing is a primary
characteristic thatdistinguishes a network-based
intrusion prevention system, orNIPS, from a network-based
(10:39):
intrusion detection system, nids, in its deployment and
capability?
So you got a NIPS versus a NIDS.
Right Prevention versusdetection.
A NIPS operates in apromiscuous mode to analyze
traffic.
B NIPS can actively block ormodify malicious traffic in line
.
C NIPS is designed to detectknown attack signatures only.
(11:02):
Or, d NIPS generates alerts forsuspicious activity without
taking action.
And the answer is B right NIPS.
Nips can actively block ormodify malicious traffic in line
.
That's one of the benefits ofhaving an intrusion prevention
system.
Right Prevention is a key point.
It can block it in line.
Now the bad side of all that is, you can DOS yourself or, when
(11:24):
it comes down to it, you candenial of service yourself
because it starts blocking stuffthat you don't want it to block
.
So before you kick it intoblock mode, you better make sure
that Hal understands what he orshe is doing.
And if you get an Odyssey 2001movie reference of Hal, yeah,
then you're old like me.
Question six a companyimplements a continuous
(11:45):
monitoring using GRC orgovernance, risk and compliance
platform.
Which benefit is most directlyachieved by mapping the
technical security control datapatch levels, access logs, etc.
To the compliance requirementswithin this platform?
Again, so a company implementsa continuous monitoring using
GRC, and what benefit is mostdirectly achieved by mapping the
(12:07):
technical security control datato the overall program itself?
A elimination of securityvulnerabilities.
B real-time automated incidentresponse.
C automated generation ofregulatory compliance reports
and continuous auditing.
And.
D prediction of future cyberattacks using machine learning.
That's pretty cool if you cando that, but no, it's definitely
(12:29):
not D and the answer is Cautomated generation of
regulatory compliance reportsand continuous monitoring.
The ultimate goal of putting itin a GRC is your governance,
risk and compliance A lot ofthat stuff.
You're dealing with regulatoryaspects and so therefore having
it into that platform helps alot with dealing with your
regulators, and I know a lot ofthe guys that listen to this
(12:50):
program know one thing is thatyou probably are very tactical
in nature and a lot of themdon't really want to deal with
the GRC aspects.
However, if you're taking yourCISSP and you want to become a
senior professional in thisfield, you're going to have to
learn and deal with GRC.
It's an important part and it'sthere.
It's here to stay.
It's not going anywhere.
So just embrace the change.
You can do it.
(13:10):
Just embrace it All right.
Question seven An organizationis concerned about adversaries
using DNS tunneling for dataexfiltration.
Which of the following egressmonitoring techniques would be
most effective for detectingthis specific covert channel?
So again, an organization isconcerned about adversaries
using DNS tunneling for dataexfiltration, basically using
(13:31):
DNS to get data out.
Which of the following egressmonitoring techniques would be
most effective?
A blocking all outbound trafficon UDP port 53.
That would be a bad idea.
B deep packet inspection onoutbound DNS queries for unusual
large payloads or non-DNScharacters Deep packet
inspection.
C monitoring firewall logs forunknown external IP addresses
(13:54):
Possible.
C analyzing NetFlow records forhigh volumes of outbound TCP
traffic.
Okay, so the one that's themost effective would be B deep
packet inspection of outboundDNS queries for unusually large
payloads right.
So blocking it would be bad.
Right, that would break yourdns.
Unknown ips are too general andthen high volume tcp.
(14:16):
It's not related to dnstunneling.
So what is the most important?
Dns tunneling using your packetinspection around.
That is probably the best waythat you can find this situation
.
But to do that you're going tomake sure that you're going to
have to have these.
Put your inspectors in variouslocations where the data is
going to be crossing, basicallytheir sensors.
(14:38):
It's very important from anarchitectural standpoint on
where you put these sensors thatare going to be basically
shunting off the data and thendecrypting it, doing whatever
they're going to be doing withit.
So you need to have a planaround that and work with your
enterprise architects on thatspecific thing.
Question eight a SOC analystreceives a high priority alert
from a SIM indicating a bruteforce attack against an external
(15:01):
facing web app.
After initial investigation,the analyst determines the
source IP is from an unknownmalicious botnet listed in a
commercial threat intelligencefeed.
Which of the incident responseplaybooks would leverage this
threat intelligence mostdirectly?
So you're looking for aplaybook, right, and you've got
IPs from a known maliciousbotnet.
What should you do?
A long-term strategy planningplaybooks?
(15:23):
You need to grab those B threathunting playbooks.
C recovery and restorationplaybooks.
Or D containment and blockingplaybooks.
So again, we're looking here.
We got initial investigationdetermines the source of it from
a known botnet listed forcommercial threat intelligence.
They're trying to do a bruteforce attack and the answer
would be d containment.
Right, it's knowing that thebotnet exists and so therefore
(15:46):
you want to have a containmentaction.
You want to be able to try tostop it from doing what it's
doing to you.
So you'd want to pull out anycontainment and blocking
playbooks you may have.
Question 9, which of thefollowing is a key advantage of
utilizing a centralized logmanagement system in a large
enterprise over distributedlogging across individual
(16:07):
servers?
There's a lot of words in there, sorry, so again, key advantage
of a central spot over versushaving it all distributed across
many, many servers.
A enhanced visibility ofcross-system correlation and
simplifies compliance auditing.
B reduces the overall volume oflogs generated.
C eliminates the need forstrong access controls on logs.
(16:28):
Or d guarantees real-timedetection for all events.
So real-time event detectionfor all events.
Yeah, throw that one out thewindow.
Events.
So real-time event detectionfor all events.
Yeah, throw that one out thewindow.
And the answer is a enhancesvisibility for cross-system
correlation and simplifiescompliance auditing.
Again, you want to have it inone large area.
You have it centralized.
It gives you much moreflexibility and much more
(16:51):
capability.
Question 10 an organizationdecides to implement a network
intrusion detection in passive,promiscuous mode.
What is the primary operationalconsequence of this deployment
choice?
So again, nids in promiscuousmode.
A NIDS will actively blockdetected attacks.
B the NIDS will not interferewith the network traffic flow.
(17:12):
C the NIDS can only detectattacks from a network perimeter
.
Or D NIDS require dedicatednetwork segments for deployment.
So again, you decide to deployit in promiscuous mode.
The primary operationalconsequence is it won't
interfere with your networktraffic flows.
That's one of the big benefits.
Right, it's promiscuous, it'sjust listening, that's all it is
doing.
It's in a passive mode and sotherefore it allows all that
(17:38):
data off of, usually off a spanor a network tap, and then it'll
be done, dumped into a centralspot for logging and monitoring
capabilities.
So I've worked on manydifferent types of these types
of situations, from very largeenterprises to smaller
organizations, but they workreally, really well.
Question 11 a security team isdeploying ueba solution To
maximize its effectiveness indetecting insider threats?
Which data source providesunique context about the user's
(18:02):
legitimate authority andpotential motivations, often
missed by purely technical logs?
So, okay, so UEBA.
You're deploying UEBA.
How do you maximize it?
How do you make it work as bestas you possibly can?
A DNS query logs.
B firewall connection logs.
C human resources system data.
(18:22):
D application error logs.
And again, you're looking atUEBA.
Okay, you're dealing with userbehavior analytics.
Which one is it?
It is C.
Using HR to help you is a veryimportant part in all of this,
and having them give them somecontext about the UEBA
deployment big, big deal.
(18:42):
Question 12.
Ciso is reviewing the long-termeffectiveness of the
organization's incident responseprogram.
Which continuous monitoringmetric would provide the most
holistic view of the overallability to minimize the impact
of a security incidence overtime?
A mean time to respond or MTTRto critical incidents.
B number of vulnerabilitiespatched per month.
(19:04):
C percentage of successfulphishing attacks.
Or D number of security alertsgenerated by the SIM?
Again, most holistic would be Amean time to respond for all
critical incidents.
The ultimate point of this isthat you want to be able to
respond, to respond for allcritical incidents.
The ultimate point of this isthat you want to be able to
respond to an incidentespecially critical.
That's the most holisticoverall view of this and really,
(19:25):
when it comes down to metrics,if you are in cybersecurity, you
really need to consider how doyou utilize metrics to the best
of your abilities, and you needto utilize them as much as you
possibly can.
Question 13.
A financial institutionprocesses a very high volume of
real-time transactions.
To ensure compliance with audittrails for every transaction,
which log managementconsideration is most paramount?
(19:47):
A Log compression to minimizestorage costs.
B Redundant log forwarding passto ensure no event loss.
C Automated purging of logsolder than 90 days.
Or d manual review of logs by adedicated audit team.
And the answer is b redundantlog forwarding pass to ensure no
(20:08):
event loss.
Okay, so again, to ensurecompliance with audit trails of
every transaction, you want tohave redundancy.
You can't't lose anything Ifyou start losing data.
It now gets into a situationwhere it's not audit.
Your audit people will behaving a fit over that, so you
need to have a really good plan.
From a security professionalstandpoint.
(20:28):
What is completeness?
Ensuring every singletransaction is captured and
logged?
Again, redundant log forwardingwill allow that to occur.
So you need to kind of considerthat.
Question 14.
An organization utilizes NIPSin inline mode to minimize false
positives that could disrupt acritical business ops.
Which operational strategy ismost important during the
(20:51):
initial deployment and ongoingmaintenance?
Again, you're deploying NIPS,it's inline.
Okay, what's the most importantthing you can do during
deployment?
A disabling all anomaly-baseddetection rules.
B deploying the NIPS indetection only for an extended
tuning period.
C limiting all NIPS policies toonly block high severity
(21:11):
signatures.
Or D outsourcing NIPSmanagement to a managed security
service or MSSP.
Again, the most important thingduring initial deployment B
deploying the NIPS indetection-only mode for an
extended tuning period.
You got to tune it and if yougo and just throw it on and
let's see what happens, you'regoing to have all kinds of
issues.
So you got to tune it out andyou got to figure out what is
(21:32):
the most important part around,what's going on with it.
So, again, tuning is a big, bigfactor on anything that you're
putting in line, okay.
Question 15.
A security team wants toleverage threat intelligence to
proactively identify compromisedinternal systems that are
currently communicating withknown malicious IP addresses or
domains.
Which type of threatintelligence consumption and
(21:54):
integration model is best suitedfor this continuous monitoring
objective?
A manual download and analysisof PDF-based threat reports.
B strategic intelligentbriefings with executive
leadership.
C one-time penetration testsusing latest threat actor
techniques.
Or, d automated ingestion ofIOC feeds into the SIM or EDR
(22:17):
platform.
Again, ioc is indicators ofcompromise and, again, with the
best suited for continuousmonitoring.
What would it be if you'redealing with malicious IP
addresses?
It would be.
D automated ingestion of IOCfeeds into the SIM or EDR.
Again, these feeds areextremely important.
They have that continuous basis.
They're going to allow you togive the best kind of monitoring
(22:39):
and capability to thatsituation.
They're also going to give youyour best chance of detecting
these situations as well.
So that is all I have for youtoday.
Head on over to CISSP CyberTraining and get all of this
content you could ever ask for.
It's all there.
All you got to do is you justbuy one of my courses.
You will have access to it.
If you need mentorship, reachout to me.
(22:59):
I can definitely help you withthat as well.
Lots of people out there willtalk that they can help you in
mentoring you into your whateverprogram to get a job, whatever
it is.
I'm sorry, but a lot of that isBS.
There's a process.
By doing that I can help you.
I've got 20 some years ofexperience doing this stuff.
I've hired people, I can tell.
I've trained people.
I have done pretty much all youcan do in cybersecurity in
(23:21):
different aspects for the past20 some plus years.
So I can help you with that, inwhat you might need.
So again, reach out to me.
Go to CISSP cyber training.
There's three different tiersfor you as a bronze, silver and
gold.
Each of those have differentoptions.
Check them out, out, see whichone works best for you and I can
help you get your what you wantin your goals and dreams for
your role.
All right, that's all again.
(23:41):
That's all I've got.
Head on over to cissp cybertraining and we'll catch you all
on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on itunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
(24:05):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:24):
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training and hope
you all are having a beautifullyblessed day today.
Today is yes, you guessed itCISSP Question Thursday, and
this is the follow-on to what wetalk about on the Monday
podcast related to Domain 7.2.
And this was around logging andmonitoring.
(00:45):
So if you listen to the podcaston Monday, a lot of the
questions that we talk abouttoday are going to be related to
that specific content ingeneral.
So that's the benefit of it,right, you get Mondays, you get
the training, thursdays, you getpodcasts, or you actually
should say you get questions.
So questions follow on afterthe overall training.
So it good stuff.
So, that being said, you know,obviously cissp cyber training
(01:06):
has got all the content youcould want.
If you just head on over tocissp cyber training, you can
get all of that and get it all.
Everything I'm talking aboutcan be all accessed available to
you.
But before we talk about thequestions for today, we are
going to talk about, realquickly, an article that I saw
in the Register and what it is.
It was kind of actuallyinteresting.
(01:27):
It's interesting in a sad way,these hackers, basically from
the group FIN6, right, which isSkeleton Spiders the name of
them, and they are using variouscapabilities to go and target,
as you could possibly guess,recruiters.
(01:48):
Right, because recruiters arelooking for candidates to be
able to fill these job roles.
Well, what do these guys do?
Yeah, they basically set upfake locations for these
recruiters to go to to downloada air quotes, resume or other
kind of documentation, of whichit then has laced with some
level of malware.
In this case, here they'reusing a zip file that contains a
(02:09):
basically a shortcut thatexecutes the more eggs
JavaScript backdoor and it'sbasically ends up going adding
credential theft from thosesystems.
So, as you know, you have arecruiter, a recruiter goes out
hey, I've got this portfolio,I've got some resumes.
They go to it, they downloadgot this portfolio, I've got
some resumes.
They go to it, they downloadthose resumes, they open up the
(02:31):
zip file and the executablekicks off.
So it's a bit of a challenge,right?
So if you're a recruiter,you're just going.
What in the world is going on?
And this, unfortunately,they're stealing these
recruiters' information and thenfrom there they go and they go
after the company that therecruiter works for.
So a lot of interesting thingsthat are happening in security.
So one of the main takeaways onall this is, if you are a
recruiter looking for anybody,it doesn't even have to be an IT
(02:53):
.
If you're looking for someoneto basically be a welder, you
want to make sure that you arepaying attention to who is
actually providing you thisinformation.
You need to avoid as much asyou can unsolicited requests and
going hey, here's my resume,check it out.
You need to be very carefulwith those kinds of aspects.
You also need to make sure thatif you're a recruiter, or if
(03:15):
you're a security professionalthat has recruiters that work
with you guys, you need to makesure you talk to them about how
can they protect themselvesthrough some level of security
awareness training, and youcould provide that to them.
Around what are some fakecandidates?
What would this look like?
What are some telltale signsaround that?
And you may not know as asecurity professional.
So you may have to work with HRand your recruiter folks to
(03:37):
understand what is the typicalprocess by which they would
normally reach out to ITprofessionals or any
professional of that in general.
So something really importantto think on that.
The other aspect is ensuringthat you have email filtering
and your malware defenses arealso up and operational.
So that's kind of the whole bigthing that came out of that
article.
I think you should go check itout and read it.
(03:57):
If anything, I would send it onto your recruiters within your
organization and just say, hey,let's have a conversation about
this and see what we can come upwith together.
Again, I talk about this inCISSP cyber training.
A lot it really truly comesdown to is building those
relationships with individualswithin your organization, within
(04:17):
your company, aroundcybersecurity.
They don't understand it.
You are the expert, but youcan't get done anything you need
to get done without theirassistance.
So this is a really goodopportunity for you to be able
to reach out to them and say,hey, how can we partner together
to fix this problem?
So just something to consider.
Great, I think it's a greatarticle to ship to them HR
(04:39):
recruiters, all of those folksand say, hey, again, let's have
a conversation and see what wecan do about this together.
Okay, so let's get on to thequestions for this week.
Okay, again, this is group nine.
At CISSP Cyber Training, you canget access to all these
questions Again.
Just purchase the products thatwe have out there and they will
be available to you.
Or you can go check out thefree stuff.
(05:00):
Right, I've got all thiscontent is available in some
form or fashion in a free format.
May free stuff right, I've gotall this content is available in
some form or fashion in a freeformat.
May not be exactly what youneed, but a lot of it is out
there and available.
So you can go to CISSP CyberTraining, go to my blog.
Lots of free stuff that will bethere.
This will be posted out thereat some point in time here in
the near future.
So, again, that's another goodplace you can get this
information.
You can also get it fromYouTube as well.
(05:20):
So lots of places that you canget all this.
The bottom line is I want toprovide you with the tools you
need so that you can besuccessful in passing the CISSP
and the fact that you understandcybersecurity as a whole.
Okay, so let's get intoquestion one Question one a
financial institution aims todetect sophisticated unknown
malware attempting to establishoutbound command and control, or
(05:43):
C2, communications using commonports, ie HTTPS as an example.
Which combination of continuousmonitoring capabilities offers
the most again, key term mosteffective detection strategy for
this particular threat.
Okay, so you've got somelooking for command and control
over HTTPS.
So what is the most effectivedetection strategy?
(06:05):
A signature-based IDSs withreal-time log aggregation,
periodic vulnerability scans andthreat intelligence on
indicators of compromise feeds,or IOCs egress monitoring with
deep packet inspection, dpi andbehavioral analysis.
Or the last one is user andentity behavior analysis or ueba
(06:27):
with active directory changelogs.
Again, so you're lookingcommand and control https.
Https is a key giveaway thereand the answer is c egress
monitoring with deep packetinspection and behavioral
analytics.
You're going to have to havethe ability to decrypt that
traffic and you're going to needDPI or deep packet inspection
(06:48):
to make that happen.
Question two A securityoperations center relies heavily
on its SIEM, or the SecurityIncident Event Manager, for
threat detection.
To enhance the SIEM's abilityto identify previously unseen or
polymorphic malware, which ofthe following threat
intelligence types would be mostvaluable for developing a new
(07:09):
correlation rules?
Okay, there's a lot of amouthful in there.
There's a lot of stuff going on.
But you got a sim you want tofigure out.
It's looking for polymorphic Ican't say the word morphic
malware, and then you're alsolooking to develop what are the
correlation rules.
So what are the feeds?
You're looking for A tacticalthreat intelligence on adversary
tactics, techniques andprocedures, or TTPs.
(07:30):
B strategic threat intelligenceon geopolitical motivations.
C raw indicator on indicatorsof compromise feeds such as IP
addresses and domains, or D opensource intelligence on recent
data breaches.
Again, we're focused onsomething very specific
polymorphic malware and theanswer would be a tactical
threat intelligence on adversaryttps.
(07:52):
This would be the main one youwould want to go after.
Question three an organization'scompliance framework mandates
strong audit trails for allcritical systems.
Which log management principleis most essential to ensure that
logs can be used reliably forforensics analysis and to stand
up in a court of law?
(08:13):
Okay, so again we're talkingabout a compliance framework.
Which log management principleis most essential when you're
looking for reliability offorensics analysis?
A log aggregation to a centralrepository.
B long-term log retention.
C log normalization or D logintegrity and non-repudiation,
(08:34):
and the answer is D.
Right, so the main point aroundthis is that when you're
dealing with log integrity andnon-repudiation, it needs to be
admissible in a court, and so,therefore, the evidence must be
non-repudiated.
They must be able to say it'swithout whatever happened with
it.
No one tampered with it, no,had any issues with it.
That is the key term thatyou're going to be focused on,
(08:55):
especially when you're dealingwith analysis, to stand up in a
court of law.
Question four UEBA solutionflags and executives account for
high risk behavior, showinglogins from unusual locations,
followed by access to sensitivefinancial data and then attempts
to access dormant accounts.
That does not seem right.
(09:15):
Okay, not good.
The executive claims these arelegitimate actions.
What is the most crucialfollow-up action for the
security team beyond the directcommunication with the executive
?
Beyond the direct communicationwith the executive?
A block the executive's accountimmediately and globally.
B cross-reference UEBA alertswith other security logs, such
(09:35):
as your SIM, your network, even.
What's HR?
And why would HR be important?
Yeah, maybe because they'regetting fired, or for contextual
validation.
C conduct a forensics image ofthe executive's endpoint.
Or D adjust the UEBA baselinefor executives to reduce the
false positives.
Okay, and which one is the mostcrucial follow-up?
(09:56):
It would be B.
Right, you want to double checkwith all the other log sources
to make sure that, yes, thisperson is doing what they're
supposed to be doing, and HR, Ibelieve, is a very crucial part
in all of this.
Again, you're going to have tohave most likely the cone of
silence when you talk about thisbut you don't know.
I've dealt with it myself whereI've had executives senior
level executives be let go andwhen they're let go, what
(10:18):
happens?
Their accounts are terminatedvery quickly.
But before we let them go, whatdid we do?
We did a little bit of snoopingto make sure that they're not.
They didn't send stuff home andbecause they were in touch with
a lot of very sensitiveinformation.
Okay, question five which of thefollowing is a primary
characteristic thatdistinguishes a network-based
intrusion prevention system, orNIPS, from a network-based
(10:39):
intrusion detection system, nids, in its deployment and
capability?
So you got a NIPS versus a NIDS.
Right Prevention versusdetection.
A NIPS operates in apromiscuous mode to analyze
traffic.
B NIPS can actively block ormodify malicious traffic in line
.
C NIPS is designed to detectknown attack signatures only.
(11:02):
Or, d NIPS generates alerts forsuspicious activity without
taking action.
And the answer is B right NIPS.
Nips can actively block ormodify malicious traffic in line
.
That's one of the benefits ofhaving an intrusion prevention
system.
Right Prevention is a key point.
It can block it in line.
Now the bad side of all that is, you can DOS yourself or, when
(11:24):
it comes down to it, you candenial of service yourself
because it starts blocking stuffthat you don't want it to block
.
So before you kick it intoblock mode, you better make sure
that Hal understands what he orshe is doing.
And if you get an Odyssey 2001movie reference of Hal, yeah,
then you're old like me.
Question six a companyimplements a continuous
(11:45):
monitoring using GRC orgovernance, risk and compliance
platform.
Which benefit is most directlyachieved by mapping the
technical security control datapatch levels, access logs, etc.
To the compliance requirementswithin this platform?
Again, so a company implementsa continuous monitoring using
GRC, and what benefit is mostdirectly achieved by mapping the
(12:07):
technical security control datato the overall program itself?
A elimination of securityvulnerabilities.
B real-time automated incidentresponse.
C automated generation ofregulatory compliance reports
and continuous auditing.
And.
D prediction of future cyberattacks using machine learning.
That's pretty cool if you cando that, but no, it's definitely
(12:29):
not D and the answer is Cautomated generation of
regulatory compliance reportsand continuous monitoring.
The ultimate goal of putting itin a GRC is your governance,
risk and compliance A lot ofthat stuff.
You're dealing with regulatoryaspects and so therefore having
it into that platform helps alot with dealing with your
regulators, and I know a lot ofthe guys that listen to this
(12:50):
program know one thing is thatyou probably are very tactical
in nature and a lot of themdon't really want to deal with
the GRC aspects.
However, if you're taking yourCISSP and you want to become a
senior professional in thisfield, you're going to have to
learn and deal with GRC.
It's an important part and it'sthere.
It's here to stay.
It's not going anywhere.
So just embrace the change.
You can do it.
(13:10):
Just embrace it All right.
Question seven An organizationis concerned about adversaries
using DNS tunneling for dataexfiltration.
Which of the following egressmonitoring techniques would be
most effective for detectingthis specific covert channel?
So again, an organization isconcerned about adversaries
using DNS tunneling for dataexfiltration, basically using
(13:31):
DNS to get data out.
Which of the following egressmonitoring techniques would be
most effective?
A blocking all outbound trafficon UDP port 53.
That would be a bad idea.
B deep packet inspection onoutbound DNS queries for unusual
large payloads or non-DNScharacters Deep packet
inspection.
C monitoring firewall logs forunknown external IP addresses
(13:54):
Possible.
C analyzing NetFlow records forhigh volumes of outbound TCP
traffic.
Okay, so the one that's themost effective would be B deep
packet inspection of outboundDNS queries for unusually large
payloads right.
So blocking it would be bad.
Right, that would break yourdns.
Unknown ips are too general andthen high volume tcp.
(14:16):
It's not related to dnstunneling.
So what is the most important?
Dns tunneling using your packetinspection around.
That is probably the best waythat you can find this situation
.
But to do that you're going tomake sure that you're going to
have to have these.
Put your inspectors in variouslocations where the data is
going to be crossing, basicallytheir sensors.
(14:38):
It's very important from anarchitectural standpoint on
where you put these sensors thatare going to be basically
shunting off the data and thendecrypting it, doing whatever
they're going to be doing withit.
So you need to have a planaround that and work with your
enterprise architects on thatspecific thing.
Question eight a SOC analystreceives a high priority alert
from a SIM indicating a bruteforce attack against an external
(15:01):
facing web app.
After initial investigation,the analyst determines the
source IP is from an unknownmalicious botnet listed in a
commercial threat intelligencefeed.
Which of the incident responseplaybooks would leverage this
threat intelligence mostdirectly?
So you're looking for aplaybook, right, and you've got
IPs from a known maliciousbotnet.
What should you do?
A long-term strategy planningplaybooks?
(15:23):
You need to grab those B threathunting playbooks.
C recovery and restorationplaybooks.
Or D containment and blockingplaybooks.
So again, we're looking here.
We got initial investigationdetermines the source of it from
a known botnet listed forcommercial threat intelligence.
They're trying to do a bruteforce attack and the answer
would be d containment.
Right, it's knowing that thebotnet exists and so therefore
(15:46):
you want to have a containmentaction.
You want to be able to try tostop it from doing what it's
doing to you.
So you'd want to pull out anycontainment and blocking
playbooks you may have.
Question 9, which of thefollowing is a key advantage of
utilizing a centralized logmanagement system in a large
enterprise over distributedlogging across individual
(16:07):
servers?
There's a lot of words in there, sorry, so again, key advantage
of a central spot over versushaving it all distributed across
many, many servers.
A enhanced visibility ofcross-system correlation and
simplifies compliance auditing.
B reduces the overall volume oflogs generated.
C eliminates the need forstrong access controls on logs.
(16:28):
Or d guarantees real-timedetection for all events.
So real-time event detectionfor all events.
Yeah, throw that one out thewindow.
Events.
So real-time event detectionfor all events.
Yeah, throw that one out thewindow.
And the answer is a enhancesvisibility for cross-system
correlation and simplifiescompliance auditing.
Again, you want to have it inone large area.
You have it centralized.
It gives you much moreflexibility and much more
(16:51):
capability.
Question 10 an organizationdecides to implement a network
intrusion detection in passive,promiscuous mode.
What is the primary operationalconsequence of this deployment
choice?
So again, nids in promiscuousmode.
A NIDS will actively blockdetected attacks.
B the NIDS will not interferewith the network traffic flow.
(17:12):
C the NIDS can only detectattacks from a network perimeter
.
Or D NIDS require dedicatednetwork segments for deployment.
So again, you decide to deployit in promiscuous mode.
The primary operationalconsequence is it won't
interfere with your networktraffic flows.
That's one of the big benefits.
Right, it's promiscuous, it'sjust listening, that's all it is
doing.
It's in a passive mode and sotherefore it allows all that
(17:38):
data off of, usually off a spanor a network tap, and then it'll
be done, dumped into a centralspot for logging and monitoring
capabilities.
So I've worked on manydifferent types of these types
of situations, from very largeenterprises to smaller
organizations, but they workreally, really well.
Question 11 a security team isdeploying ueba solution To
maximize its effectiveness indetecting insider threats?
Which data source providesunique context about the user's
(18:02):
legitimate authority andpotential motivations, often
missed by purely technical logs?
So, okay, so UEBA.
You're deploying UEBA.
How do you maximize it?
How do you make it work as bestas you possibly can?
A DNS query logs.
B firewall connection logs.
C human resources system data.
(18:22):
D application error logs.
And again, you're looking atUEBA.
Okay, you're dealing with userbehavior analytics.
Which one is it?
It is C.
Using HR to help you is a veryimportant part in all of this,
and having them give them somecontext about the UEBA
deployment big, big deal.
(18:42):
Question 12.
Ciso is reviewing the long-termeffectiveness of the
organization's incident responseprogram.
Which continuous monitoringmetric would provide the most
holistic view of the overallability to minimize the impact
of a security incidence overtime?
A mean time to respond or MTTRto critical incidents.
B number of vulnerabilitiespatched per month.
(19:04):
C percentage of successfulphishing attacks.
Or D number of security alertsgenerated by the SIM?
Again, most holistic would be Amean time to respond for all
critical incidents.
The ultimate point of this isthat you want to be able to
respond, to respond for allcritical incidents.
The ultimate point of this isthat you want to be able to
respond to an incidentespecially critical.
That's the most holisticoverall view of this and really,
(19:25):
when it comes down to metrics,if you are in cybersecurity, you
really need to consider how doyou utilize metrics to the best
of your abilities, and you needto utilize them as much as you
possibly can.
Question 13.
A financial institutionprocesses a very high volume of
real-time transactions.
To ensure compliance with audittrails for every transaction,
which log managementconsideration is most paramount?
(19:47):
A Log compression to minimizestorage costs.
B Redundant log forwarding passto ensure no event loss.
C Automated purging of logsolder than 90 days.
Or d manual review of logs by adedicated audit team.
And the answer is b redundantlog forwarding pass to ensure no
(20:08):
event loss.
Okay, so again, to ensurecompliance with audit trails of
every transaction, you want tohave redundancy.
You can't't lose anything Ifyou start losing data.
It now gets into a situationwhere it's not audit.
Your audit people will behaving a fit over that, so you
need to have a really good plan.
From a security professionalstandpoint.
(20:28):
What is completeness?
Ensuring every singletransaction is captured and
logged?
Again, redundant log forwardingwill allow that to occur.
So you need to kind of considerthat.
Question 14.
An organization utilizes NIPSin inline mode to minimize false
positives that could disrupt acritical business ops.
Which operational strategy ismost important during the
(20:51):
initial deployment and ongoingmaintenance?
Again, you're deploying NIPS,it's inline.
Okay, what's the most importantthing you can do during
deployment?
A disabling all anomaly-baseddetection rules.
B deploying the NIPS indetection only for an extended
tuning period.
C limiting all NIPS policies toonly block high severity
(21:11):
signatures.
Or D outsourcing NIPSmanagement to a managed security
service or MSSP.
Again, the most important thingduring initial deployment B
deploying the NIPS indetection-only mode for an
extended tuning period.
You got to tune it and if yougo and just throw it on and
let's see what happens, you'regoing to have all kinds of
issues.
So you got to tune it out andyou got to figure out what is
(21:32):
the most important part around,what's going on with it.
So, again, tuning is a big, bigfactor on anything that you're
putting in line, okay.
Question 15.
A security team wants toleverage threat intelligence to
proactively identify compromisedinternal systems that are
currently communicating withknown malicious IP addresses or
domains.
Which type of threatintelligence consumption and
(21:54):
integration model is best suitedfor this continuous monitoring
objective?
A manual download and analysisof PDF-based threat reports.
B strategic intelligentbriefings with executive
leadership.
C one-time penetration testsusing latest threat actor
techniques.
Or, d automated ingestion ofIOC feeds into the SIM or EDR
(22:17):
platform.
Again, ioc is indicators ofcompromise and, again, with the
best suited for continuousmonitoring.
What would it be if you'redealing with malicious IP
addresses?
It would be.
D automated ingestion of IOCfeeds into the SIM or EDR.
Again, these feeds areextremely important.
They have that continuous basis.
They're going to allow you togive the best kind of monitoring
(22:39):
and capability to thatsituation.
They're also going to give youyour best chance of detecting
these situations as well.
So that is all I have for youtoday.
Head on over to CISSP CyberTraining and get all of this
content you could ever ask for.
It's all there.
All you got to do is you justbuy one of my courses.
You will have access to it.
If you need mentorship, reachout to me.
(22:59):
I can definitely help you withthat as well.
Lots of people out there willtalk that they can help you in
mentoring you into your whateverprogram to get a job, whatever
it is.
I'm sorry, but a lot of that isBS.
There's a process.
By doing that I can help you.
I've got 20 some years ofexperience doing this stuff.
I've hired people, I can tell.
I've trained people.
I have done pretty much all youcan do in cybersecurity in
(23:21):
different aspects for the past20 some plus years.
So I can help you with that, inwhat you might need.
So again, reach out to me.
Go to CISSP cyber training.
There's three different tiersfor you as a bronze, silver and
gold.
Each of those have differentoptions.
Check them out, out, see whichone works best for you and I can
help you get your what you wantin your goals and dreams for
your role.
All right, that's all again.
(23:41):
That's all I've got.
Head on over to cissp cybertraining and we'll catch you all
on the flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on itunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
(24:05):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.