Module 2: Security Incident Creation and Threat Intelligence Flashcards

1
Q

Where are alert rules that create security incidents defined?

A

Event Management Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is SIEM

A

Security Information and Event Management - Allows the creation of SIs, event correlation, event rules, and alert rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are response tasks

A

These are created to track separate actions to be performed in order to respond to the security issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What three records are mentioned as create able options from a SI

A
  • Change Request
  • Incident
  • Problem
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the state that allows a SI to be closed and an appropriate close code to be entered

A

Review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the Security Incident Response Setup Assistant, and what are the five categories

A

This assistant walks the Security Incident Admin [sn_si_admin], or system admin, through setting up the SIR process in a simple step by step fashion

The five categories are:

  1. System Administration
  2. Security Incident Response Administration
  3. Security Incident Email Settings
  4. Security Incident Playbook Settings
  5. Capability Configurations (workflow actions, sighting search, email block and delete)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In the SIR Setup Assistant what occurs in the System administration category?

A
  • Define SIR users and groups
  • Activate integration plugins
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In the SIR Setup Assistant what occurs in the SIR administration category?

A
  • Manage security incident roles and user groups
  • Setup IR process
    • Risk Score Configuration
    • Escalations
    • SLAs
    • Process Definitions
    • Post Incident Review
  • Setup supporting platform capabilities
    • request lifecycle
    • catalogs
    • notifications
    • auto-manual assignments
    • knowledge base
    • managed docs
    • etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In the SIR Setup Assistant what occurs in the Security Incident Playbook settings category?

A
  • Setup runbook documents to create specirfic association between kbs and incident or response tasks based on some attributes
  • Create new/manage pre-defined flows or workflows to respond to security incidents
  • Create new/manage pre-defined triggers for automatically assigning playbooks to security incidents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In the SIR Setup Assistant what occurs in the Security Incident Email Settings category?

A
  • Setup email inboxes to receive alert emails
  • Setup user reported phishing
  • Setup email parsers to generate incidents
  • Setup inbound email actions on incoming emails
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In the SIR Setup Assistant what occurs in the Capability Configurations category?

A
  • Configure integrations to work with capabilities
  • sighting search / block request / email search and delete / enrich configuration item…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where does Detection commonly originate

A

Tools such as firewalls, intrusion detection systems, logs of email or web gateways. Can also be raised manually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Are requests raised through the Security Incident Catalog automatically converted to Security Incidents?

A

NO, some remain as security requests to be addressed but all are handled by record producers that drive actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which role is required to add new items to the security incident catalog?

A

sn_si.admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two primary ways to manually create a security incident

A

Create them directly from the security incident application

raise/promote a regular incident to a security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an email parser and what is its purpose?

A

This is something that receives email in the tool (like an inbound action) and allows that email to create various types of records (security, vulnerability, threat) based on the field(s) specified.

Note: If more than one field is specified, all fields must match the email to create a record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are some examples of fields an email parser may look for?

A
  • email is from a specific address
  • email is sent to a specific address
  • email subject contains …
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Threat Intelligence?

A
  1. Process of collecting valuable or critical information to act or respond to an event
    1. Specific artifacts (observables)
    2. Evidence of “signs” of an attack (indicators of compromise - IoC)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does Threat Intelligence consist of?

A

Threats, Threat Actors, and TTPs (Techniques, Tactics and Procedures)

  • DDOS, Fraud, Cyber Catastrophes
  • Main players of an attack
  • Methods, Modes, Scripted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the five stages in the Threat Intelligence Lifecycle?

A
  1. Aggregate
  2. Contextualize
  3. Prioritize
  4. Utilize
  5. Learn

Loop back to aggregate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define the following Threat Intelligence Conecept/Terminology:

Structured Threat Information Express (STIX)

A

A structured format for the description of threat data

22
Q

Define the following Threat Intelligence Conecept/Terminology:

Trusted Automated Exchange of Intelligence Information (TAXII)

A

Transport mechanism for sharing threat intelligence data

23
Q

Define the following Threat Intelligence Conecept/Terminology:

Cyber Observable eXpression (CybOX)

A

Common structure for representing cyber observables across and among the operationsl areas of enterprise cybersecurity

24
Q

Define the following Threat Intelligence Conecept/Terminology:

Tactics, Technices and Procedures (TTPs)

A

Tactics, Techniques and Procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors”

Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks

25
Q

_____ is a language that can use _____ words, and the communication is possible with _____

A

STIX is a language that can use CybOX words, and the communication is possible with TAXII

Structured Threat Information Express

Trusted Automation Exchange of Intelligence Information

Cyber Observable eXpression

26
Q

_____ characterizes what is being told, while _____ defines how the _____ language is shared

A

STIX characterizes what is being told, while TAXII defines how the STIX language is shared

Structured Threat Information Express

Trusted Automation Exchange of Intelligence Information

Cyber Observable eXpression

27
Q

Why does the Threat Intelligence platform aggregate and correlate against existing threat data?

A

To identify patterns that indicate suspicious or malicious activity and link to technical indicators for categorization

28
Q

What is the “enemy” in cybersecurity?

A

known as a “Threat Actor”, this is a person, group, or entity that creates all or part of an incident with the aim to impact an organization’s security

29
Q

What are Observables?

A

stateful properties such as

  • Observed MD5 hashes
  • Observed IP addresses
  • Observed DNS names
  • Observed email addresses

Observables are the first actionable items in threat intelligence and give you clues regarding the targets and motivation of the attacker

30
Q

What are Indicators of Compromise (IoCs)?

A

Indicators of Compromise (IoCs) are anything that allow you detect an attack or breach:

  • Log entry
  • Change in status or some form of a modification
  • File integrity differences
  • An alert from a tool

An IoC is often described in the forensics world as evidence on a computer that indicates the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network.

31
Q

What are Sighting Searches?

A

Sightings are observations of “potentially malicious activity”

  • Interesting events that have yet to be analyzed
  • Logins in the middle of the night
  • Heavy network or CPU activity
  • Additional software appearing out of nowhere
32
Q

What are Security Cases?

A

A security case is a collection of records that aid in building an argument for identifying and dealing with particular threats

A security case gathers information on suspicious activity occurring in the environment:

  • Combination of Security Incidents, observables, Configuration items, and affected users
  • Categorizing adversaries and campaigns

Provides a broad but specific analysis of the overall threat used to identify

  • Advanced Persistent Threats
  • Phishing campaigns
  • Identifying adversaries
33
Q

What is MITRE - ATT&CK?

A

MITRE ATT&CK

  • AT - Adversarial Tactics
  • T - Techniques
  • &CK - Common Knowledge

The MITRE ATT&CK framework is a knowledge base of cyberattack tactics and techniques used as a foundation for the development of specific threat models and methodologies

34
Q

What do Tactics represent in an ATT&CK technique?

A

The “why”. It’s the adversary’s tactical objective: the reason for performing an action

MITRE ATT&CK

  • AT - Adversarial Tactics
  • T - Techniques
  • &CK - Common Knowledge
35
Q

What do Techniques represent in MITRE - ATT&CK?

A

The “how” an adversary achieves a tactical objective by performing an action

MITRE ATT&CK

  • AT - Adversarial Tactics
  • T - Techniques
  • &CK - Common Knowledge
36
Q

The MITRE - ATT&CK collections include Enterprise and Mobile. For Enterprise how many tactics (why) are defined? (4 examples)

A

There are 14 tactics defined including:

  • Reconnaissance
  • Initial Access
  • Credential Access
  • Defense Evasion
37
Q

The MITRE - ATT&CK collections include Enterprise and Mobile. For Enterprise how many techniques (how) are defined? (3 examples)

A

There are over 500 techniques defined including:

  • Botnet
  • Credentials in Files
  • Keyogging
38
Q

What is the difference between the “Incident - based Response” and “Intent - based Response” as related to MITRE - ATT&CK?

A
39
Q

Where is MITRE - ATT&CK integration data populated?

A

In the Threat Intelligence application in the following tables:

Tactics are stored in a table called Kill Chain Phase - [sn_ti_stix2_kill_chain_phase]

Techniques are stored in a table called Attack Pattern - [sn_ti_stix2_attack_pattern]

40
Q
A
41
Q

The MITRE-ATT&CK functionality was developed for multiple levels. What benefit is available for Analysts

A
  • Informed Investigations
    • MITRE-ATT&CK information associated with IOC (Adversary, TTP’s, Mitigations), Similar Incidents fusion
  • Response Guidance
    • Playbook and Automations for enrichment, Scoping and remediation by attack stage/technique
  • Storyline
    • Build the full picture of the related chain of events
42
Q

The MITRE-ATT&CK functionality was developed for multiple levels. What benefit is available for the CISO

A

The MITRE-ATT&CK dashboard has a view of the data source coverage, tactics and techniques used in the organization

  • MITRE-ATT&CK Dashboard
    • Trends
    • Top Techniques
    • Heat Map
  • SOC Maturity Assessment
    • Security Posture Assessment
    • Security Control Analysis
    • Recommendations/Improvements
  • Cyber Threat Intelligence
    • Threat Actor Analytics
43
Q

The MITRE-ATT&CK functionality was developed for multiple levels. What benefit is available for the Threat Hunters

A

Correlate and perform link analysis on observables, security incidents and MITRE-ATT&CK related information then use the heatmap and filters to display info

  • ATT&CK coverage map
    • “Tactic - Technique - Data Source - Tools - Alerts” mapping
  • ATT&CK technique prioritization & optimization
    • Attack difficulty
    • ROI
    • relevancy analysis
44
Q

What are the three Major Components of MITRE-ATT&CK that are specifically listed?

A
  • Integration with Security Incident Record
  • Stix Visualizer
    • visually represents the structure of the STIX object and its relationship
  • Dynamic Heatmap
    • display aggregate data visually using colors to represent different values
45
Q

What is MITRE-ATT&CK Configuration: Step 1

This step is always required

A

Set up the Integration TAXII Profile and import the desired collection

Trusted Automated eXchange of Intelligence Information

46
Q

What is MITRE-ATT&CK Configuration Step 2: Implementation Details

There are three system properties that relate to MITRE-ATT&CK what are they?

What is the new role and it’s function?

A

[sn_ti.mitre_analyst]

  • Allows cross navigation for the MITRE features between SIR and TI Support Common
  • This role allows read-only aaccess to the MITRE module and the Security Incident Response Module
  • This role contains the sn_ti.read and sn_si.read roles
  • In the baseline this role is not contained by any other role
47
Q

What is MITRE-ATT&CK Configuration Step 3: Extraction Rules

A

This step integrates the MITRE-ATT&CK information with incoming Security Incidents

Baseline includes a global rule as well as SIEM specific rules if their integrations support MITRE-ATT&CK

48
Q

What is MITRE-ATT&CK Configuration Step 4: Detection Rules

Are there any MITRE-ATT&CK detection rules provided in the baseline?

How are additional rules added?

A

No rules are provided in baseline

Rules are created from mapping to determine where security gaps exist

Note: These rules do not execute against anything. They are informational only and provide visibility into MITRE-ATT&CK coverage

49
Q

What is MITRE-ATT&CK Configuration Step 5: Data Source Mapping?

A

This step supports the management of MITRE-ATT&CK. Records can be edited in this view to help identify what detection tools are in place in the environment. This info is then visible on the heatmap

50
Q

What is MITRE-ATT&CK Configuration Step 6: Technique Coverage Mapping

Where are the techniques found?

A

The integration populates mitigation options and tools that could potentially be used against a technique. These need to be reviewed by the customer and some may need to be disabled

Threat Intelligence > MITRE ATT&CK Repository > Techniques

Stored on a table called “Attack Pattern” [sn_ti_stix2_attack_pattern]

51
Q

What questions could a CISO answer from the MITRE - ATT&CK Heatmap?

How is MITRE-ATT&CK data useful to a Threat Hunter?

A