Domain 7

Question 1

Intelligence in Threat Modeling
User and Entity Behavior Analytics

Answer 1

Entity behavior is collected and input into a threat model

• Model establishes a baseline of normal behavior
• Enables analysis to uncover more details around anomalous events
• automated investigation also exists in some pklatforms

Question 2

Intelligence in Threat Modeling
Threat Intelligence

Answer 2

Threat feeds

Org learns about changes in threat landscape

Often a feed containing malicious entities ingested by cybersecurity tools
- A single feed may be composed of many sources including open source
- Entity = IP website, threat actor, file hash, more

Question 3

Service Level Agreement

Answer 3

Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations

• generally used with vendors

Question 4

Secure provisioning

Answer 4

Ensure eresources are deployed in a secure maner and maintained securely through their lifecycles

Ex) deploy a PC from a secure image

Question 5

Virtual Assets

Answer 5

• VMs
• Virtual Desktop Infrastructure (VDI) compute
• Software Defined Networks (SDN) network
• Virtual Storage Area Networks (SAN) storage

Hypervisors are the primary component that manages virtual assets, but also provide hackers with additional target
- Both hypervisors and VM need to be patched

Question 6

Configuration & Change Management
Configuration Management

Answer 6

Ensures that systems are configured similarly, config is known and documented

Baselining ensures systems are deployed with common starting point (ex imaging)

Question 7

Managing Incident Response (7 Steps)

Answer 7

1. Detection - Monitoring tools, IPS, firewalls
2. Response - Triage, decision to declare (is it really an incident?) Limiting damage
3. Mitigation - First containment effort contain an incident
4. Reporting - to relevant stakeholders mngmt decsions
5. Recovery - Return to normal mngmt decisions
6. Remediation - Root cause addressed Include root cause analysis
7. Lessons Learned - helps prevent recurrence

DRMRRRL

Question 8

Espionage

Answer 8

External
When a competitor tries to steal info, and they may use an internal employee

Question 9

Sabotage

Answer 9

Internal

Malicious insiders can perform sabotage against an org if they become disgruntled

Question 10

Zero-Day Exploit

Answer 10

Brand new vulns

An attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people

• Basic security practices can often still prevent

Question 11

Sampling

Answer 11

Extracting elements from a large body of data to make a meaningful summary

Question 12

Statistical Sampling

Answer 12

Using precise mathematical functions to extract meaningful info from a large amount of data

Question 13

Clipping

Answer 13

A form of non-statistical sampling that record only events that exceed a threshold

Question 14

Security Audits and Reviews

Answer 14

Helps ensure management programs are effective and being followed

• prevents violations
• can also oversee programs and processes

Includes:
- Patch management
- Vuln managment
- Change management
- Config Management

Question 15

Auditing
(You know what this is but some important notes)

Answer 15

Serves as a primary type of detective control

• Frequency is based on Risk
• Key element for displaying Due Care
• Only people with sufficient privilege should have access

Question 16

Access Review

Answer 16

Ensures object access and account mngmt practices support the security policy

Question 17

User Entitlement Audit

Answer 17

Ensures principle of least privilege is followed

Question 18

Categories of Computer Crimes (6 types)

Answer 18

• Military and Intelligence
• Business
• Financial
• Terrorist
• Grudge
• Thrill

Question 19

Electronic Discovery (eDiscovery)

Answer 19

Organizations expecting lawsuit have a duty to preserve digital evidence

Process includes:
- Info ID and Governance
- Preservation and collection
- Processing, review, analysis
- Production / Presentation

• Often uses tagging classification, target specific custodian

Question 20

Gathering Info in Investigations
Possesion

Answer 20

You must have posession of equiptment, software, or data to analyze it and use it as evidence

Question 21

Gathering Info in Investigations
Modification

Answer 21

You must acquire the evidence without modifying it.

• Law enforcement establishes a chain of evidence to document all who handled it

Question 22

Alternatives to Confiscating Evidence (3 types)

Answer 22

1. Vulntary surrender
2. Subpoena - Used to compel the subject to surrender evidence
3. Search Warrant - Most useful when need to confiscate evidence without giving the subject the chance to alter it

Question 23

Retaining Investigation Data

Answer 23

You will lose valuable evidence unless you ensure critical log files are retained for a reasonable period of time

• You can retain log file and system status info either in-place or in archives
• data retention should be defined in security policies

Question 24

Evidence Types
Best

Answer 24

Original

NOTE:
Evidence must be relevant, complete, sufficient and reliable

Question 25

*Evidence Types* Secondary Evidence

Answer 25

Copy

Question 26

*Evidence Types* Direct

Answer 26

Proves or disproves an act based on the five senses

Question 27

*Evidence Types* Conclusive

Answer 27

Incontrovertible, overrides all other types

Question 28

*Evidence Types* Circumstantial

Answer 28

Inference from other info

Question 29

*Evidence Types* Corroborative

Answer 29

Supporting evidence but cannot stand on its own

Question 30

*Evidence Types* Opinions

Answer 30

Expert and non expert

Question 31

*Evidence Types* Hearsay

Answer 31

Not based on first hand knowledge

Question 32

3 Types of evidence that may be used in a **criminal or civil** trial

Answer 32

1. Real evidence - **actual objects** brought into the courtroom 2. Documentary evidence - **Written documents** 3. Testimonial Evidence - verbal / written statements **made by witnesses**

Question 33

3 Requirements for evidence to be **admissible in a court of law**

Answer 33

1. Must be **relevant** to a fact at issue in the case 2. The fact must be **material** to the case 3. Evidence must be **competent or legally collected** - Evidence is *competent* if it complies with certain traditional notions or reliability

Question 34

*Recovery Site Types* COLD

Answer 34

Just a data center space, power, and network connectivity thats ready and waiting for when you need it - If disaster happens, support teams can help move your hardware into the data center and get you back uop and running - Cost = **LOW** - Effort = **HIGH**

Question 35

*Recovery Site Types* WARM

Answer 35

**Preventative** site that allows you to pre-install your hardware and pre-configure your bandwidth needs - If disaster strikes, all you have to do is load your software and data to restore business systems - Cost = **MID** - Effort = **MID**

Question 36

*Recovery Site Types* HOT

Answer 36

**Proactive** site allows you to keep servers and a live backup site up and running - Allows for an immediate cutover in case of a disaster at primary site. - Cost = **HIGH** - Effort = **LOW**

Question 37

*Recovery Site Types* Service Bureau

Answer 37

A company that lease computer time - Larger server farms or fields of workstation - May be onsite or remote

Question 38

*Recovery Site Types* Mobile Site

Answer 38

Typically self-contained trailers or moveable units

Question 39

Recovery Point Objective (RPO)

Answer 39

The **age of files** that must be recovered from **backup storage** for normal operations to resume if a system or network goes down

Question 40

Recovery Time Objective (RTO)

Answer 40

The **duration of time and a service level** within which a business process must be restored.

Question 41

Mutual Assistance Agreements (MAAs) (Pros and Cons)

Answer 41

Pros: - Provide **inexpensive** alternative to disaster recovery sites Cons: - Orgs involved may be shut down by the *same disaster* and MAAs raise **confidentiality concerns** - MAAs are **uncommon** bc they are difficult to enforce

Question 42

*More BCP Definitions* Business Resumption Plan (BRP)

Answer 42

Plan to move from the disaster recovery site back to business environment

Question 43

*More BCP Definitions* Mean Time Between Failures (MTBF)

Answer 43

Time determination for how long a piece of IT infrastructure will continue to work before it fails

Question 44

*More BCP Definitions* Mean Time to Repair (MTTR)

Answer 44

How long it will take to get a piece of hardware / software repaired and back on line

Question 45

*More BCP Definitions* Max Tolerable Downtime (MTD)

Answer 45

Amount of time we can be without an asset BEFORE we must declare a disaster

Question 46

*Disaster Recovery Plan Test Types* Read-through Test

Answer 46

Distribute copies of **disaster recovery plans** to the members of the disaster recovery team for **review**

Question 47

*Disaster Recovery Plan Test Types* Structured Walk-through

Answer 47

**AKA Table-top exercise** Members of recovery team meet and role-play disaster scenario - Usually exact scenario is only known to **the test monitor**

Question 48

*Disaster Recovery Plan Test Types* Simulation Test

Answer 48

Similar to walk through but some of the **response measures are actually tested**

Question 49

*Disaster Recovery Plan Test Types* Parallel Test

Answer 49

Relocating personnel to. **alternative recovery site** and implementing site activation procedures - Practice disaster recovery at alt site

Question 50

*Disaster Recovery Plan Test Types* Full Interruption Test

Answer 50

**Actually shutting down operations** at the **primary site** and shifting them to the alt site

Question 51

*DR Related Terms* Recovery Team

Answer 51

Gets the critical business functions running at **alt site**

Question 52

*DR Related Terms* Salvage Team

Answer 52

Used to return the **primary site** to normal conditions

Question 53

*Backup Strategies* Electronic Vaulting

Answer 53

Used to transfer DB backups to a **remote site** as part of bulk transfer

Question 54

*Backup Strategies* Remote Journaling

Answer 54

Transmitting only the **journal / transaction logs** to the off-site facility and not the actual files

Question 55

*Backup Strategies* Remote Mirroring

Answer 55

**Live DB Server** is maintained at the backup site - Most advanced and most expensive