4.4 Given an incident, apply mitigation techniques or controls to secure an environment. Flashcards
endpoint
This is an end user device, which could be a smartphone, laptop, tablet, etc.
Approved list
IT team creates a list of applications that are approved, and no other applications are allowed to run. Very restrictive. You would need to go to the IT team to approve any new application that is not already on the list.
It team could use a hash of the executable of the app to approve an app.
Blocklist
The “bad list.”
This means a user can install any app unless it is specifically on the deny list.
Anti-virus or antimalware typically have a deny list of applications.
Quarantine
A place where anything suspicious can be moved. It is a safe area
How do IT teams add apps to an approved list?
They could use an application hash, certificate, path to a location, or base a policy on the network zone.
- With an application hash, if the application changes, the hash could change.
MDM
Mobile device management can enable or disable phone and tablet functionality regardless of physical location.
DLP
Data loss prevention can identify and block the transfer of PII or sensitive data.
This could be credit card numbers, social security numbers, etc.
Content Filter
Also known as a URL filter, it can limit access to untrusted websites and block malicious sites.
Large blocklists are used to share suspicious site URLs.
Describe SOAR and how it is different from SIEM?
Security Orchestration, Automation, and Response
– Integrate third-party tools and data sources
– Make security teams more effective
* Runbooks
– Linear checklist of steps to perform
– Step-by-step approach to automation
– Reset a password, create a website certificate,
back up application data
* Playbooks
– Conditional steps to follow; a broad process
– Investigate a data breach, recover
from ransomware
SOAR has automation and SIEM does not.
Segmentation
Separate the network
– Prevent unauthorized movement
– Limit the scope of a breach
Containment
Application containment
– Run each application in its own sandbox
– Limit interaction with the host operating system
and other applications
– Ransomware would have no method of infection
* Contain the spread of a multi-device security
event, i.e., ransomware
– Disable administrative shares
– Disable remote management
– Disable local account access and change local
administrator password
Process Isolation
– Limit application execution
– Prevent malicious activity but allow device
management
Network isolation
– Isolate to a remediation VLAN
– No communication to other devices
Isolation
- Administratively isolate a compromised device from
everything else
– Prevent the spread of malicious software
– Prevent remote access or C2 (Command and Control)
Blackhole
Blackholes correspond to locations in the network that quietly discard (or “drop”) incoming or outgoing messages, without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique because they isolate the attacker from the network.
