Module 2: Security Incident Creation and Threat Intelligence Flashcards
Where are alert rules that create security incidents defined?
Event Management Application
What is SIEM
Security Information and Event Management - Allows the creation of SIs, event correlation, event rules, and alert rules
What are response tasks
These are created to track separate actions to be performed in order to respond to the security issue
What three records are mentioned as create able options from a SI
- Change Request
- Incident
- Problem
What is the state that allows a SI to be closed and an appropriate close code to be entered
Review
What is the Security Incident Response Setup Assistant, and what are the five categories
This assistant walks the Security Incident Admin [sn_si_admin], or system admin, through setting up the SIR process in a simple step by step fashion
The five categories are:
- System Administration
- Security Incident Response Administration
- Security Incident Email Settings
- Security Incident Playbook Settings
- Capability Configurations (workflow actions, sighting search, email block and delete)
In the SIR Setup Assistant what occurs in the System administration category?
- Define SIR users and groups
- Activate integration plugins
In the SIR Setup Assistant what occurs in the SIR administration category?
- Manage security incident roles and user groups
- Setup IR process
- Risk Score Configuration
- Escalations
- SLAs
- Process Definitions
- Post Incident Review
- Setup supporting platform capabilities
- request lifecycle
- catalogs
- notifications
- auto-manual assignments
- knowledge base
- managed docs
- etc
In the SIR Setup Assistant what occurs in the Security Incident Playbook settings category?
- Setup runbook documents to create specirfic association between kbs and incident or response tasks based on some attributes
- Create new/manage pre-defined flows or workflows to respond to security incidents
- Create new/manage pre-defined triggers for automatically assigning playbooks to security incidents
In the SIR Setup Assistant what occurs in the Security Incident Email Settings category?
- Setup email inboxes to receive alert emails
- Setup user reported phishing
- Setup email parsers to generate incidents
- Setup inbound email actions on incoming emails
In the SIR Setup Assistant what occurs in the Capability Configurations category?
- Configure integrations to work with capabilities
- sighting search / block request / email search and delete / enrich configuration item…
Where does Detection commonly originate
Tools such as firewalls, intrusion detection systems, logs of email or web gateways. Can also be raised manually
Are requests raised through the Security Incident Catalog automatically converted to Security Incidents?
NO, some remain as security requests to be addressed but all are handled by record producers that drive actions
Which role is required to add new items to the security incident catalog?
sn_si.admin
What are the two primary ways to manually create a security incident
Create them directly from the security incident application
raise/promote a regular incident to a security incident
What is an email parser and what is its purpose?
This is something that receives email in the tool (like an inbound action) and allows that email to create various types of records (security, vulnerability, threat) based on the field(s) specified.
Note: If more than one field is specified, all fields must match the email to create a record
What are some examples of fields an email parser may look for?
- email is from a specific address
- email is sent to a specific address
- email subject contains …
What is Threat Intelligence?
- Process of collecting valuable or critical information to act or respond to an event
- Specific artifacts (observables)
- Evidence of “signs” of an attack (indicators of compromise - IoC)
What does Threat Intelligence consist of?
Threats, Threat Actors, and TTPs (Techniques, Tactics and Procedures)
- DDOS, Fraud, Cyber Catastrophes
- Main players of an attack
- Methods, Modes, Scripted
What are the five stages in the Threat Intelligence Lifecycle?
- Aggregate
- Contextualize
- Prioritize
- Utilize
- Learn
Loop back to aggregate