Applying Tools to Identify Malicious Activity Flashcards
Wireshark
A widely used protocol analyzer
tcpdump
A command-line packet sniffing utility.
Endpoint detection and response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
Sandboxing
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited so that malware or faulty software can be analyzed in isolation and without risk to the host.
Kill Chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion
Kill Chain Process
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objective
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents.
Open Source Security Testing Methodology Manual
Developed by the Institute for Security and Open Methodologies (ISECOM), this manual outlines every area of an organization that needs testing and goes into details about how to conduct the relevant tests.
The MITRE ATT&CK Matrix
This framework provides a database of observed tactics, techniques, and procedures (TTPs) of various threat actor groups.
Hash
The theoretically indecipherable fixed-length output of the hashing process.
Sender Policy Framework (SPF)
A DNS record identifying hosts authorized to send mail for the domain.
DomainKeys Identified Mail (DKIM)
A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
A framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record.
SPF record or Sender Policy Framework record
This describes a special DNS TXT record used to identify the hosts authorized to send emails for a domain.
