Domain 7. Chapter 17

Question 1

Chapter 17 Preventing and Responding to Incidents

1. Conducting Incident Management
   One of the primary goals of any security program is to prevent security incidents.
   An incident is any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets.
   Computer security incident (sometimes called just security incident) commonly refers to an incident that is the result of an attack or the result of malicious or intentional actions on the part of users.

Stadsarts:
National Institute of Standards and Technology (NIST) special publication (SP) 800-61, Computer Security Incident Handling Guide, defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

Organizations commonly define the meaning of a computer security incident within their security policy or incident management plans.

Question 2

1.1 Incident Management Steps
1)Detection - 2) Response - 3) Mitigation - 4) Reporting - 5) Recovery - 6) Remediation
- 7) Lessons Learned

NIST SP 800-61, an excellent resource for learning more about incident handling, identifies the following four steps in the incident response lifecycle: 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post-incident recovery. (1) подготовка, 2) обнаружение и анализ, 3) сдерживание, устранение и восстановление и 4) последующая обработка инцидентов. - восстановление после инцидента.)

Question 3

1.1.1 Detection
- Intrusion detection and prevention systems (described later in this chapter) send alerts to administrators when they detect a potential incident.
- Antimalware software will often display a pop-up window to indicate when it detects malware.
- Many automated tools regularly scan audit logs looking for predefined events, such as the use of special privileges. When they detect specific events, they typically send an alert to administrators.
- End users sometimes detect irregular activity and contact technicians or administrators for help. When users report events, such as the inability to access a network resource or update a system, it alerts IT personnel about a potential incident.

Question 4

1.1.2 Response
Many organizations have a designated incident response team—sometimes called a computer incident response team (CIRT) or computer security incident response team (CSIRT).
Typically, team members investigate the incident, assess the damage, collect evidence, report the incident, and perform recovery procedures. They also participate in the remediation and lessons learned stages, and help with root cause analysis. (Обычно члены команды расследуют инцидент, оценивают ущерб, собирают доказательства, сообщают об инциденте и выполняют процедуры восстановления. Они также участвуют в этапах исправления ситуации и извлечения уроков, а также помогают в анализе первопричин.)

Question 5

1.1.3 Mitigation
Mitigation steps attempt to contain an incident. Меры по смягчению последствий направлены на сдерживание инцидентa.

Question 6

1.1.4 Reporting
Reporting refers to reporting an incident within the organization and to organizations and individuals outside the organization.
Organizations often have a legal requirement to report some incidents outside of the organization.
Many jurisdictions have specific laws governing the protection of personally identifiable information (PII).
In response to serious security incidents, the organization should consider reporting the incident to official agencies. In the United States, this may mean notifying the Federal Bureau of Investigation (FBI), district attorney offices, and state and local law enforcement agencies. In Europe, organizations may report the incident to the International Criminal Police Organization (INTERPOL).

-According to PCI DSS, GDPR, cases of exposing information must be reported.

Question 7

1.1.5 Recovery
The next step is to recover the system or return it to a fully functioning state.
Rebuilding the system includes restoring all data from the most recent backup.
Things to double-check include the following:

• Access control lists (ACLs), which include firewall or router rules
• Services and protocols, ensuring that unneeded services and protocols are disabled or removed
• Patches, ensuring that all up-to-date patches are installed
• User accounts, ensuring that they have changed from their default configurations
• Compromises, ensuring that any known compromises have been reversed

The most secure method of restoring a system after an incident is completely rebuilding the system from scratch. Самый безопасный метод восстановления системы после инцидента — полное восстановление системы с нуля.

Question 8

1.1.6 Remediation исправление
In the remediation stage, personnel look at the incident, identify what allowed it to occur, and then implement methods to prevent it from happening again.

Question 9

1.1.7 Lessons Learned
During the lessons learned stage, personnel examine the incident and the response to see if there are any lessons to be learned. The incident response team will be involved in this stage, but other employees who are knowledgeable about the incident will also participate.

While examining the response to the incident, personnel look for any areas where they can improve their response.

Question 10

2. Implementing Detective and Preventive Measures
   Ideally, an organization can avoid incidents completely by implementing preventive countermeasures. However, no matter how effective preventive countermeasures are, incidents will still happen
   - Preventive Control A preventive control attempts to thwart or stop unwanted or unauthorized activity from occurring. Examples of preventive controls are fences, locks, biometrics, separation of duties policies, job rotation policies, data classification, access control methods, encryption, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems.
   - Detective Control A detective control attempts to discover or detect unwanted or unauthorized activity. Detective controls operate after the fact and can discover the activity only after it has occurred. Examples of detective controls are security guards, motion detectors, recording and reviewing of events captured by security cameras or closed-circuit television (CCTV), job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports, supervision and reviews of users, and incident investigations.

Answer 10

-Превентивный контроль Превентивный контроль направлен на предотвращение или прекращение нежелательной или несанкционированной деятельности. Примерами превентивного контроля являются ограждения, замки, биометрия, политики разделения обязанностей, политики ротации должностей, классификация данных, методы контроля доступа, шифрование, смарт-карты, процедуры обратного вызова, политики безопасности, обучение по вопросам безопасности, антивирусное программное обеспечение, межсетевые экраны и предотвращение вторжений. системы.
-Детективный контроль Детективный контроль пытается обнаружить или обнаружить нежелательную или несанкционированную деятельность. Детективные средства контроля действуют постфактум и могут обнаружить действие только после того, как оно произошло. Примерами средств детективного контроля являются охранники, детекторы движения, запись и просмотр событий, зафиксированных камерами видеонаблюдения или системами видеонаблюдения (CCTV), политика ротации должностей, политика обязательного отпуска, контрольные журналы, ловушки или сети-приманки, системы обнаружения вторжений, отчеты о нарушениях. , надзор и анализ пользователей, а также расследование инцидентов.

Question 11

2.1 Basic Preventive Measures
- Keep systems and applications up to date.
- Remove or disable unneeded services and protocols.
- Use intrusion detection and prevention systems.
- Use up-to-date antimalware software.
- Use firewalls.
- Implement configuration and system management processes.

Question 12

2.2 Understanding Attacks
2.2.1 Botnets
Botnets are quite common today. The computers in a botnet are like robots (referred to as bots and sometimes zombies). Multiple bots in a network form a botnet and will do whatever attackers instruct them to do. A bot herder is typically a criminal who controls all the computers in the botnet via one or more command-and-control (C&C or C2) servers.
Computers are typically joined to a botnet after being infected with some type of malicious code or malicious software. Once the computer is infected, it often gives the bot herder remote access to the system and additional malware is installed.
Defenses:
1) There are many methods of protecting systems from being joined to a botnet, so it’s best to use a defense-in-depth strategy, implementing multiple layers of security.
2) it’s important to ensure that systems and networks are protected with up-to-date antimalware software.
3) Keeping a system up to date with patches helps keep it protected.
4) Educating users is extremely important as a countermeasure against botnet infections.
5) Many malware infections are browser based, allowing user systems to become infected when the user is surfing the web. Keeping browsers and their plug-ins up to date is an important security practice.

Question 12

2.2.2 Denial-of-Service Attacks
1) SYN Flood Attack - usesTCP. The attackers send multiple SYN packets but never complete the connection with an ACK.
Using SYN cookies is one method of blocking this attack. These small records consume very few system resources. When the system receives an ACK, it checks the SYN cookies and establishes a session. Firewalls often include mechanisms to check for SYN attacks, as do intrusion detection and intrusion prevention systems.
Another method of blocking this attack is to reduce the amount of time a server will wait for an ACK. It is typically 3 minutes by default

2) Smurf and Fraggle Attacks
A smurf attack is another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. More specifically, it is a spoofed broadcast ping request using the IP address of the victim as the source IP address. All systems on the amplifying network (broadcast through a router) then attack the victim.
Fraggle attacks UDP packets over UDP ports 7 and 19. The fraggle attack will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.

3) Ping Flood
A ping flood attack floods a victim with ping requests. This can be very effective when launched by zombies within a botnet as a DDoS attack. If tens of thousands of systems simultaneously send ping requests to a system, the system can be overwhelmed trying to answer the ping requests.

Question 13

2.2.3 Zero-Day Exploit
A zero-day exploit refers to an attack on a system exploiting a vulnerability that is unknown to others. However, security professionals use the term in different contexts:
- Attacker discovers a vulnerability first.
- Vendor learns of vulnerability but hasn’t released a patch.
- Vendor releases patch and systems are attacked within 24 hours.
There is a gap between when the vendor releases the patch and when administrators apply it. Microsoft typically releases patches on the second Tuesday of every month, commonly called “Patch Tuesday.” Attackers often try to reverse-engineer the patches to understand them and then exploit them the next day, commonly called “Exploit Wednesday.”

Methods used to protect systems against zero-day exploits include many of the basic preventive measures. Ensure that systems are not running unneeded services and protocols to reduce a system’s attack surface, enable both network-based and host-based firewalls to limit potentially malicious traffic, and use intrusion detection and prevention systems to help detect and block potential attacks. Additionally, honeypots give administrators an opportunity to observe attacks and may reveal an attack using a zero-day exploit.

Question 14

2.2.4 Man-in-the-Middle Attacks
A man-in-the-middle (MiTM) attack (sometimes called an on-path attack) occurs when a malicious user establishes a position between two endpoints of an ongoing communication.
There are two types of man-in-the-middle attacks:
- One involves copying or sniffing the traffic between two parties.
- The other type involves attackers positioning themselves in the line of communication, where they act as a store-and-forward or proxy mechanism. The client and server think they are connected directly to each other. However, the attacker captures and forwards all data between the two systems.
For example, the attacker may alter routing information and DNS values, acquire and install encryption certificates to break into an encrypted tunnel, or falsify Address Resolution Protocol (ARP) lookups as a part of the attack.
Some man-in-the-middle attacks are thwarted by keeping systems up to date with patches. An intrusion detection system cannot usually detect man-in-the-middle or hijack attacks, but it can detect abnormal activities occurring over communication links and raise alerts on suspicious activity. Many users often use VPNs to avoid these attacks. Some VPNs are hosted by an employee’s organization, but there are also several commercially available VPNs that anyone can use, typically at a cost.

Question 15

2.2.5 Sabotage
Employee sabotage is a criminal act of destruction or disruption committed against an organization by an employee.
Employee sabotage occurs most often when employees suspect they will be terminated without just cause or if employees retain access after being terminated.

This is another important reason employee terminations should be handled swiftly and account access should be disabled as soon as possible after the termination. Other safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for their contributions.

Question 16

2.3 Intrusion Detection and Prevention Systems
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are two methods organizations typically implement to detect and prevent attacks.
An intrusion occurs when an attacker can bypass or thwart security mechanisms and access an organization’s resources. Intrusion detection is a specific form of monitoring that monitors events (often in real time) to detect abnormal activity indicating a potential incident or intrusion. An intrusion detection system (IDS) automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. Because an IPS includes detection capabilities, you’ll often see them referred to as intrusion detection and prevention systems (IDPSs).

NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems, provides comprehensive coverage of both intrusion detection and intrusion prevention systems, but for brevity uses IDPS throughout the document to refer to both.

Question 17

2.3.1 Knowledge- and Behavior-Based Detection
- Knowledge-Based Detection The most common method of detection is knowledge-based detection (also called signature-based detection or pattern-matching detection). It uses a database of known attacks developed by the IDS vendor. Knowledge-based detection on an IDS is similar to signature-based detection used by antimalware applications.
- Behavior-Based Detection The second detection type is behavior-based detection (also called statistical intrusion detection, anomaly detection, and heuristics-based detection). Behavior-based detection starts by creating a baseline of normal activities and events on the system.

True positive – An incident occurs and is detected.
False negative – An incident occurs but is not detected.
False positive – An incident is detected but did not occur.
True negative – An incident does not occur and is not detected.

Question 18

2.3.2 IDS Response
Although knowledge-based and behavior-based IDSs detect incidents differently, they both use an alert system. When the IDS detects an event, it triggers an alarm or alert. It can then respond using a passive or active method.
A passive response logs the event and sends a notification.
An active response changes the environment to block the activity in addition to logging and sending a notification. For example, modifying firewall ACLs to block traffic based on ports, protocols, and source addresses, and even disabling all communications over specific cable segments.

NIST SP 800-94 recommends placing all active IDSs in line with the traffic so that they function as IPSs.

Question 19

2.3.3 Host- and Network-Based IDSs
IDS types are commonly classified as host-based and network-based. A host-based IDS (HIDS) monitors a single computer or host. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect.

Some of the disadvantages of HIDSs are related to the cost and usability. HIDSs are more costly to manage than NIDSs because they require administrative attention on each system, whereas NIDSs usually support centralized administration. An HIDS cannot detect network attacks on other systems. Additionally, it will often consume a significant amount of system resources, degrading the host system’s performance. Although it’s often possible to restrict the system resources used by the HIDS, this can result in it missing an active attack.

A network-based IDS (NIDS) monitors a network by observing network traffic patterns.

A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console such as a security information and event management (SIEM) system

Question 20

2.3.4 Intrusion Prevention Systems
An intrusion prevention system (IPS) is a special type of active IDS that attempts to detect and block attacks before they reach target systems.
The NIPS is placed inline with the traffic. An NIPS can use knowledge-based detection and/or behavior-based detection, just like any other IDS. Additionally, it can log activity and provide notification to administrators just as an IDS would.

Question 21

2.4 Honeypots and Honeynets
Honeypots are individual computers created as a trap or a decoy for intruders or insider threats. A honeynet is two or more networked honeypots used together to simulate a network. They look and act like legitimate systems, but they do not host data of any real value for an attacker.
Legitimate users wouldn’t access the honeypot, so any access to a honeypot is most likely an unauthorized intruder.
Administrators often include pseudo-flaws on honeypots to emulate well-known operating system vulnerabilities. Pseudo-flaws are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers.

Question 22

2.5 Warning Banners
Warning banners inform users and intruders about basic security policy guidelines. They typically mention that online activities are audited and monitored, and they often provide reminders of restricted activities. In most situations, the wording in banners is important from a legal standpoint because these banners can legally bind users to a permissible set of actions, behaviors, and processes.

Question 23

2.6 Antimalware
The most important protection against malicious code is the use of antimalware software with up-to-date signature files and heuristic capabilities. Attackers regularly release new malware and often modify existing malware to prevent detection by antimalware software. Antimalware software vendors look for these changes and develop new signature files to detect new and modified malware.

Specialized antimalware software is installed on email servers to detect and filter out any type of malware passed via email. Additionally, antimalware software is installed on each system to detect and block malware. Organizations often use a central server to deploy antimalware software, download updated definitions, and push these definitions out to the clients.
A multipronged approach with antimalware software on each system in addition to filtering internet content helps protect systems from infections from any source.

Question 24

2.7 Whitelisting and Blacklisting
One of the methods used to control which applications can run and which applications can’t run is whitelists and blacklists, though these terms are falling into disuse. Today, it’s more common to use the more intuitive phrases allow list (for whitelisting) and deny list or block list (for blacklisting).
Using allow lists and deny lists for applications can also help prevent malware infections.

Question 25

2.8 Firewalls
First, firewalls are preventive and technical controls. They attempt to prevent security incidents using technical methods.

• Block directed broadcasts on routers. A directed broadcast acts as a unicast packet until it reaches the destination network. Attackers have used these to flood targeted networks with broadcasts, so it’s common to block directed broadcasts. Many routers have the option to change this setting, but it’s to block directed broadcasts.
• Block private IP addresses at the border. Internal networks use private IP address ranges (discussed in Chapter 12), and the internet uses public IP address ranges. If traffic from the internet has a source address in a private IP address range, it is a spoofed address, and the firewall should block it.
  Firewalls include rules within an ACL to allow specific traffic and end with an implicit deny rule. The implicit deny rule blocks all traffic not allowed by a previous rule. For example, a firewall can allow HTTP and HTTPS traffic by allowing traffic using TCP ports 80 and 443.
  Second-generation firewalls add additional filtering capabilities. For example, an application-level gateway firewall filters traffic based on specific application requirements and circuit-level gateway firewalls filter traffic based on the communications circuit. Third-generation firewalls (also called stateful inspection firewalls and dynamic packet filtering firewalls) filter traffic based on its state within a stream of traffic.

Application firewalls control traffic going to or from a specific application or service. As an example, a web application firewall (WAF) is a specialized application firewall that protects a web server. It inspects all traffic going to a web server and can block malicious traffic such as SQL injection attacks and cross-site scripting (XSS) attacks. This can be processor intensive, so the WAF filters traffic going to the web server but not all network traffic.

A next-generation firewall (NGFW) functions as a unified threat management (UTM) device and combines several filtering capabilities. It includes traditional functions of a firewall such as packet filtering and stateful inspection. However, an NGFW is able to perform packet inspection techniques, allowing it to identify and block malicious traffic.

Answer 25

Блокируйте направленную широковещательную рассылку на маршрутизаторах. Направленная широковещательная рассылка действует как одноадресный пакет, пока не достигнет сети назначения. Злоумышленники использовали их для наводнения целевых сетей широковещательными сообщениями, поэтому направленные широковещательные сообщения часто блокируются. Многие маршрутизаторы имеют возможность изменить этот параметр, но это блокировка направленных широковещательных рассылок. Блокируйте частные IP-адреса на границе. Во внутренних сетях используются диапазоны частных IP-адресов (обсуждаемые в главе 12), а в Интернете — диапазоны общедоступных IP-адресов. Если исходный адрес трафика из Интернета находится в диапазоне частных IP-адресов, это поддельный адрес, и брандмауэр должен его заблокировать.

Question 26

2.8 Sandboxing
Sandboxing provides a security boundary for applications and prevents the application from interacting with other applications. Antimalware applications use sandboxing techniques to test unknown applications. If the application displays suspicious characteristics, the sandboxing technique prevents the application from infecting other applications or the operating system.

Question 27

2.9 Third-Party Security Services
This can include many different types of services, such as auditing and penetration testing.
These organizations often outsource some of the services, and PCI DSS requires organizations to ensure that service providers also comply with PCI DSS requirements.
Some software as a service (SaaS) vendors provide security services via the cloud.

Question 28

3. Logging and Monitoring
   Logging and monitoring procedures help an organization prevent incidents and provide an effective response when they occur. Logging records events into various logs, and monitoring reviews these events. Combined, they allow an organization to track, record, and review activity, providing overall accountability.

Question 29

3.1 Logging Techniques
Logging is the process of recording information about events to a log file or database. Logging captures events, changes, messages, and other data describing activities on a system.
Common Log Types:
- Security Logs
- System Logs
- Application Logs
- Firewall Logs
- Proxy Logs
- Change Logs

Question 30

3.2 Protecting Log Data
Personnel within the organization can use logs to re-create events leading up to and during an incident, but only if the logs haven’t been modified. If attackers can modify the logs, they can erase their activity, effectively nullifying the value of the data.
It’s common to store copies of logs on a central system, such as a security information and event management (SIEM) system, to protect it. Even if an attack modifies or corrupts the original files, personnel can still use the copy to view the events. One way to protect log files is by assigning permissions to limit their access.
Organizations often have strict policies mandating backups of log files.

Question 31

3.3 The Role of Monitoring
3.3.1 Audit trails are records created when information about events and occurrences is stored in one or more databases or log files.
They provide a record of system activity and can reconstruct activity leading up to and during security events. Security professionals extract information about an incident from an audit trail to prove or disprove culpability, and much more. Audit trails are also essential as evidence in the prosecution of criminals.
3.3.2 Monitoring and Accountability
Monitoring is necessary to ensure that subjects (such as users and employees) can be held accountable for their actions and activities. Users claim an identity (such as with a username) and prove their identity (by authenticating), and audit trails record their activity while they are logged in.
Users who are aware that logs are recording their IT activities are less likely to try to circumvent security controls or perform unauthorized or restricted activities.
Legislation often requires specific monitoring and accountability practices. This includes laws such as the Sarbanes–Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), and European Union (EU) privacy laws that many organizations must abide by.
3.3.3 Monitoring and Investigations
Audit trails give investigators the ability to reconstruct events long after they have occurred. They can record access abuses, privilege violations, attempted intrusions, and many different types of attacks. After detecting a security violation, security professionals can reconstruct the conditions and system state leading up to the event, during the event, and after the event through a close examination of the audit trail. One important consideration is ensuring that logs have accurate timestamps and that these timestamps remain consistent throughout the environment. A common method is to set up an internal Network Time Protocol (NTP) server synchronized to a trusted time source such as a public NTP server. Other systems can then synchronize with this internal NTP server.
3.3.4 Monitoring and Problem Identification
Audit trails offer details about recorded events that are useful for administrators. They can record system failures, OS bugs, and software errors in addition to malicious attacks.

Question 32

3.4 Monitoring Techniques
Monitoring is the process of reviewing information logs, looking for something specific. Personnel can manually review logs or use tools to automate the process.

Many organizations use a centralized application to automate the monitoring of systems on a network. Several terms are used to describe these tools, including security information and event management (SIEM), security event management (SEM), and security information management (SIM). These tools provide centralized logging and real-time analysis of events occurring on systems throughout an organization.

Many IDSs and IPSs send collected data to a SIEM system. The system also collects data from many other sources within the network, providing real-time monitoring of traffic and analysis and notification of potential attacks.
For example, a SIEM can monitor a group of email servers.

Depending on the event, it can raise an alarm for an administrator or take some other action.

SIEMs often include sophisticated correlation engines. These engines are a software component that collects the data and aggregates it looking for common attributes. It then uses advanced analytic tools to detect abnormalities and sends alerts to security administrators.

Some monitoring tools are also used for inventory and status purposes.

Software monitoring watches for attempted or successful installations of unapproved software, use of unauthorized software, or unauthorized use of approved software

Question 33

3.5 Syslog
RFC 5424, the Syslog Protocol, describes the syslog protocol, which is used to send event notification messages. A centralized syslog server receives these syslog messages from devices on a network. The protocol defines how to format the messages and how to send them to the syslog server but not how to handle them.

Question 34

3.6 Sampling
Sampling, or data extraction, is the process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole. In other words, sampling is a form of data reduction that allows someone to glean valuable information by looking at only a small sample of data in an audit trail.

Question 35

3.7 Clipping Levels
Clipping is a form of nonstatistical sampling. It selects only events that exceed a clipping level, which is a predefined threshold for the event. The system ignores events until they reach this threshold.

For example, failed logon attempts are common in any system, since users can easily enter the wrong password once or twice. Instead of raising an alarm for every single failed logon attempt, a clipping level can be set to raise an alarm only if it detects five failed logon attempts within a 30-minute period. Many account lockout controls use a similar clipping level. They don’t lock the account after a single failed logon. Instead, they count the failed logons and lock the account only when the predefined threshold is reached.

Answer 35

Уровни отсечения Отсечение — это форма нестатистической выборки. Он выбирает только события, которые превышают уровень ограничения, который является предопределенным порогом для события. Система игнорирует события, пока они не достигнут этого порога. Например, неудачные попытки входа в систему являются обычным явлением в любой системе, поскольку пользователи могут легко ввести неправильный пароль один или два раза. Вместо того, чтобы поднимать сигнал тревоги при каждой неудачной попытке входа в систему, можно установить уровень ограничения, чтобы поднимать сигнал тревоги только в том случае, если он обнаруживает пять неудачных попыток входа в систему в течение 30-минутного периода. Многие элементы управления блокировкой учетной записи используют аналогичный уровень ограничения. Они не блокируют учетную запись после одного неудачного входа в систему. Вместо этого они подсчитывают неудачные входы в систему и блокируют учетную запись только при достижении заранее определенного порога.

Question 36

3.8 Other Monitoring Tools
- Keystroke Monitoring Keystroke monitoring is the act of recording the keystrokes a user performs on a physical keyboard. The monitoring is commonly done via technical means such as a hardware device or a software program known as a keylogger. However, a video recorder can perform visual monitoring. In most cases, attackers use keystroke monitoring for malicious purposes.
- Traffic Analysis and Trend Analysis Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than actual packet contents. These processes are sometimes referred to as network flow monitoring. It can infer a lot of information, such as primary and backup communication routes, the location of primary servers, sources of encrypted traffic and the amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.

Answer 36

• Мониторинг нажатия клавиш Мониторинг нажатия клавиш — это запись нажатий клавиш, которые пользователь выполняет на физической клавиатуре. Мониторинг обычно осуществляется с помощью технических средств, таких как аппаратное устройство или программное обеспечение, известное как кейлоггер. Однако видеорегистратор может осуществлять визуальный контроль. В большинстве случаев злоумышленники используют мониторинг нажатия клавиш в злонамеренных целях.
• Анализ трафика и анализ тенденций Анализ трафика и анализ тенденций — это формы мониторинга, которые исследуют поток пакетов, а не фактическое содержимое пакетов. Эти процессы иногда называют мониторингом сетевого потока. Он может вывести много информации, такой как основные и резервные маршруты связи, расположение основных серверов, источники зашифрованного трафика и объем трафика, поддерживаемого сетью, типичное направление потока трафика, частоту связи и многое другое.

Question 37

3.9 Log Management
Log management refers to all the methods used to collect, process, and protect log entries. As discussed previously, a SIEM system collects and aggregates log entries from multiple systems. It then analyzes these entries and reports any suspicious events.
After a system forwards log entries to a SIEM system, it’s acceptable to delete the log entries. However, these usually aren’t deleted from the original system right away. Instead, systems typically use rollover logging, sometimes called circular logging or log cycling.
Windows systems allow administrators to archive logs, which is useful if a SIEM system isn’t available.
Another option is to create and schedule a PowerShell script to regularly archive the files and copy them to another location, such as a backup server using a UNC path.

Question 38

3.10 Egress Monitoring
Monitoring traffic isn’t limited to traffic within a network or entering a network. It’s also important to monitor traffic leaving a network to the internet, also called egress monitoring. This can detect the unauthorized transfer of data outside the organization, often referred to as data exfiltration. Some common methods used to detect or prevent data exfiltration are data loss prevention (DLP) techniques and monitoring for steganography.

Steganography allows attackers to embed messages within other files such as graphic or audio files. It is possible to detect steganography attempts if you have both the original file and a file you suspect has a hidden message. If you use a hashing algorithm such as Secure Hash Algorithm 3 (SHA-3), you can create a hash of both files. If the hashes are the same, the file does not have a hidden message. However, if the hashes are different, it indicates the second file has been modified. Forensic analysis techniques might be able to retrieve the message.

An advanced implementation of watermarking is digital watermarking. A digital watermark is a secretly embedded marker in a digital file. For example, some movie studios digitally mark copies of movies sent to different distributors. Each copy has a different mark, and the studios track which distributor received which copy. If any of the distributors release pirated copies of the movie, the studio can identify which distributor did so.

Question 39

3.11 Automating Incident Response
Incident response automation has improved considerably over the years, and it continues to improve. The following sections describe some of these improvements, such as security orchestration, automation, and response (SOAR), artificial intelligence (AI), and threat intelligence techniques.

Question 40

3.12 SOAR allows security administrators to define these incidents and the response, typically using playbooks and runbooks:

• Playbook A playbook is a document or checklist that defines how to verify an incident. Additionally, it gives details on the response. A playbook for the SYN flood attack would list the same actions security administrators take to verify a SYN flood is under way. It would also list the steps administrators take after verifying it is a SYN flood attack.
• Runbook A runbook implements the playbook data into an automated tool. For example, if an IDS alerts on the traffic, it implements a set of conditional steps to verify that the traffic is a SYN flood attack using the playbook’s criteria. If the IDS confirms the attack, it then performs specified actions to mitigate the threat.

Answer 40

SOAR позволяет администраторам безопасности определять эти инциденты и меры реагирования, обычно с помощью сборников сценариев и модулей Runbook: Сценарий Сборник – это документ или контрольный список, определяющий способы проверки инцидента. Кроме того, он дает подробную информацию об ответе. В сценарии атаки SYN-флуд будут перечислены те же действия, которые администраторы безопасности предпринимают для проверки того, что SYN-флуд идет. В нем также будут перечислены шаги, которые администраторы предпринимают после проверки того, что это SYN-флуд-атака. Runbook Runbook преобразует данные playbook в автоматизированный инструмент. Например, если IDS предупреждает о трафике, он реализует набор условных шагов для проверки того, что трафик является атакой SYN-флуд, используя критерии сборника сценариев. Если IDS подтверждает атаку, она выполняет определенные действия для уменьшения угрозы.

Question 41

3.13 Machine Learning and AI Tools
- Machine learning is a part of artificial intelligence and refers to a system that can improve automatically through experience. ML gives computer systems the ability to learn.
- Artificial intelligence is a broad field that includes ML. It gives machines the ability to do things that a human can do better or allows a machine to perform tasks that we previously thought required human intelligence. This is a moving target, though.

A key point is that machine learning is a part of the broad topic of AI.

These two examples demonstrate the major difference between machine learning and AI. A machine-learning system (part of AI) starts with a set of rules or guidelines. An AI system starts with nothing and progressively learns the rules. (However, a separate algorithm outside of the AI system enforces the rules. It tells the AI system when it makes an illegal move and when it wins or loses a game.) It then creates its own algorithms as it learns the rules and applies machine-learning techniques based on these rules.

A machine-learning system would use this baseline as a starting point. During normal operation, it detects anomalies and reports them.

An AI system starts without a baseline. Instead, it monitors traffic and slowly creates its own baseline based on the traffic it observes. As it creates the baseline, it also looks for anomalies. An AI system also relies on feedback from administrators to learn if alarms are valid or false positives.

Question 42

3.14 Threat Intelligence
Threat intelligence refers to gathering data on potential threats. It includes using various sources to get timely information on current threats. Many organizations used it to hunt out threats.

Question 43

3.14.1 Understanding the Kill Chain
The military has used a kill chain model to disrupt attacks for decades.
The military model has a lot of depth, but in short, it includes the following phases:
1 Find or identify a target through reconnaissance.
2 Get the target’s location.
3 Track the target’s movement.
4 Select a weapon to use on the target.
5 Engage the target with the selected weapon.
6 Evaluate the effectiveness of the attack.

Lockheed Martin created the Cyber Kill Chain framework. It includes seven ordered stages of an attack:
1 Reconnaissance. Attackers gather information on the target.
2 Weaponization. Attackers identify an exploit that the target is vulnerable to, along with methods to send the exploit.
3 Delivery. Attackers send the weapon to the target via phishing attacks, malicious email attachments, compromised websites, or other common social engineering methods.
4 Exploitation. The weapon exploits a vulnerability on the target system.
5 Installation. Code that exploits the vulnerability then installs malware. The malware typically includes a backdoor, allowing the target to access the system remotely.
6 Command and Control. Attackers maintain a command and control system, which controls the target and other compromised systems.
7 Actions on objectives. Attackers execute their original goals such as theft of money, theft of data, data destruction, or installing additional malicious code such as ransomware.

Question 44

3.14.2 Understanding the MITRE ATT&CK
The MITRE ATT&CK Matrix (created by MITRE and viewable at attack.mitre.org) is a knowledge base of identified tactics, techniques, and procedures (TTPs) used by attackers in various attacks. It is complementary to kill chain models, such as the Cyber Kill Chain. However, unlike kill chain models, the tactics are not an ordered set of attacks. Instead, ATT&CK lists the TTPs within a matrix. Additionally, attackers are constantly modifying their attack methods, so the ATT&CK Matrix is a living document that is updated at least twice a year.

The matrix includes the following tactics:

Reconnaissance
Resource development
Initial access
Execution
Persistence
Privilege escalation
Defense evasion
Credential access
Discovery
Lateral movement
Collection
Command and control
Exfiltration
Impact

Question 45

3.15 Threat Feeds Ленты угроз
A threat feed is a steady stream of raw data related to current and potential threats. However, in its raw form, it can be difficult to extract meaningful data. A threat intelligence feed attempts to extract actionable intelligence from the raw data. Here is some of the information included in a threat intelligence feed:

Suspicious domains
Known malware hashes
Code shared on internet sites
IP addresses linked to malicious activity

Some security organizations sell platforms that integrate with threat feeds and automatically provide organizations with the data they need to respond quickly.

Question 46

3.16 Threat Hunting
Threat hunting is the process of actively searching for cyber threats in a network. This goes beyond waiting for traditional network tools to detect and report attacks. It starts with the premise that attackers are in the network now, even if none of the preventive and detective controls have detected them and raised warnings. Instead, security professionals aggressively search systems looking for indicators of threats.