LDR551-Book2 Flashcards
1
Q
What should a user do if they disagree with the CLA terms?
A
Not access the Courseware, return for refund
2
Q
What actions are prohibited without SANS Institute’s consent?
A
Copying, reproducing, distributing, modifying Courseware
3
Q
What are the consequences of breaching the CLA?
A
Irreparable harm, enforceable by injunction
4
Q
What must the user warrant regarding sanction programs?
A
Not listed on OFAC or BIS denied party lists
5
Q
What must the user avoid regarding U.S. export control laws?
A
Not allow access to embargoed countries
6
Q
What are the key topics in Section 2 of LDR551?
A
Collection and Monitoring, Cyber Defense Theory, SOC Tools, MITRE ATT&CK
7
Q
What mindset should modern cyber defense teams adopt?
A
Presumption of Compromise
8
Q
What is a key focus of modern cyber defense?
A
Detection-Oriented Defense
9
Q
Who should proactively assume compromise in a SOC?
A
Hunt teams
10
Q
What should be the priority for hunt teams?
A
Post-exploitation stage attacks
11
Q
What should hunt teams do when they find an issue?
A
Take care of it quickly and thoroughly
12
Q
What is a risk-informed strategy in SOC?
A
Align defenses to prevent most damaging scenarios.
13
Q
What is the Lockheed Martin Cyber Kill Chain designed to model?
A
Advanced persistent threats (APTs).
14
Q
What is a common misuse of the Cyber Kill Chain?
A
Applying it to all alerts.
15
Q
What is the purpose of the Kill Chain and Mandiant Attack Cycle?
A
Visualize attack progress and steps.
16
Q
What happens if the Kill Chain is used beyond its intended purpose?
A
It leads to confusion.
17
Q
What is the advantage of Org 2’s defense strategy?
A
Better “defense in depth” posture.
18
Q
What does the Pyramid of Pain illustrate?
A
Different levels of detection difficulty.
19
Q
What is a drawback of relying on bottom layer items in the Pyramid of Pain?
A
Easy to bypass detection capability.
20
Q
Why is a spread of detection capabilities important?
A
Provides defense in depth across the pyramid.
21
Q
What are the characteristics of items at the top of the pyramid?
A
Longer living, broad coverage, lower fidelity
22
Q
What are the characteristics of indicators at the bottom of the pyramid?
A
Short-lived, easy to identify attacks
23
Q
Why do the two types of analytics team up well?
A
Provide depth of coverage in different scenarios
24
Q
What should you do if your analytics distribution is lacking?
A
Make it a priority to build up the missing piece
25
What does MITRE ATT&CK provide?
Standardized vocabulary of tactics and techniques
26
What do tactics describe in the MITRE ATT&CK framework?
Goals attackers need to accomplish
27
What happens when a new attack technique is found by MITRE?
It is added under one or more tactics
28
What should you do if you can detect relevant items on the MITRE ATT&CK framework?
Give yourself a pat on the back
29
How does MITRE ATT&CK help newer analysts?
Provides learning opportunity for attacker TTPs
30
What can you do if you have no threat intel but know APT X attacks your industry?
Prioritize techniques used by APT X
31
How can MITRE ATT&CK be used to measure defensive team improvement?
Objectively measure defensive team improvement
32
What indicates Blue Team improvement in MITRE ATT&CK?
Rise in percentage or count of covered techniques
33
What is the PICERL model based on?
NIST SP 800-61 "Computer Security Incident Handling Guide"
34
What stage do most analysts drop in during the PICERL model?
Identify stage
35
What does the DAIR model address compared to PICERL?
Practical application criticisms like least privilege
36
What does DAIR highlight the need for?
Security monitoring, threat intelligence, vulnerability remediation
37
How does DAIR conceptualize incident response?
As multiple events occurring across time.
38
How does DAIR differ from the PICERL model?
DAIR uses waypoints, outcomes, and activities.
39
Are PICERL and DAIR mutually exclusive?
No, they complement each other.
40
What is the OODA loop?
Observe, Orient, Decide, Act.
41
Who designed the OODA loop?
John Boyd, a military strategist.
42
What does the OODA loop represent for a SOC?
Stages to go head-to-head with adversaries.
43
What drives the operations tempo in a SOC?
The OODA loop.
44
What is the key step in the OODA loop?
The "Orient" phase.
45
What is the main takeaway from the OODA loop model?
Faster, accurate loops win head-to-head situations.
46
What differentiates a manager from a leader according to Peter Drucker?
Manager does things right; leader does the right things.
47
What are the two roles required to run a SOC?
Management and leadership.
48
What must a leader of a SOC be aware of?
Industry news, trends, and available tools.
49
What is necessary for day-to-day SOC operations?
Balanced workload, following processes, securing the organization.
50
What is the main goal in infinite games?
Stay in the game as long as possible
51
What are examples of finite games?
Sports, board games
52
What are examples of infinite games?
Business, marriage, education, life
53
What is the primary difference between finite and infinite games?
How you win
54
What happens in infinite games by definition?
They have no end
55
What is the goal of finite games?
To beat out your opponent
56
What do finite games have that infinite games lack?
A clear outcome at the ending time
57
What do infinite games require for long-term success?
Infinite strategies
58
What mindset is doomed for sub-optimal results in infinite games?
Finite game mindset
59
What do finite-minded players tend to overlook?
Second order effects
60
What does Sinek say about finite-minded businesses?
They may rely too heavily on a single product
61
What does human nature drive us to focus on in finite games?
Personal rewards
62
What is necessary to succeed in an infinite game?
Focus on the long term
63
What is the focus of a short-term SOC strategy?
Ticket numbers closed, time-based goals
64
What should a SOC optimize for in an infinite game strategy?
Job satisfaction, retention, engagement
65
What is a key aspect of playing with an infinite strategy in SOC?
Sustainability of workload
66
What does Sinek's infinite game strategy emphasize for SOCs?
Continuous improvement, team building
67
What should a human-focused SOC prioritize?
Challenging, growing, and creative employees
68
What is the benefit of cybersecurity mental models?
Help analysts understand complex events
69
What is the goal of SOC Theory and Models?
Avoid misapplying models, help operations
70
What are the main tools used daily by SOC analysts?
EDR/XDR, SIEM, TIP, IMS
71
What does SOAR stand for?
Security Orchestration, Automation, & Response
72
What is the role of EDR/XDR in a SOC?
Central interface for querying, detection, analysis
73
What is the function of a SIEM?
Nexus of all log data
74
What does a Threat Intelligence Platform provide?
Context around matched IOCs
75
What is the purpose of an Incident Management System?
Ticketing system for working incidents
76
What does SOAR focus on in a SOC?
Automation tools for efficiency
77
What do Use Case Databases/Playbooks/SOPs inform analysts about?
Actions to take when an alert triggers
78
What is stored in an Unstructured Information Knowledgebase?
Additional reference data for analysts
79
What is a common use for systems like OneNote or SharePoint in a SOC?
Collaboratively adding and editing data
80
What is the main job of a SIEM?
Receive and parse all logs correctly
81
Why is high-quality data important for a SIEM?
Better chances for successful detection
82
What is the role of a Threat Intelligence Platform in a SOC?
Stores tactical, operational, strategic threat intel
83
What must be exported periodically to a SIEM or IDS?
All atomic indicators
84
What should a TIP ideally contain?
Info on how, when, and why each atomic item was marked as an IOC.
85
What does an analyst need to do when an alert goes off?
Find why the IP was marked bad.
86
What is the main source of incoming data for the IMS?
Alerts sent from the environment.
87
What should analysts do once incidents are investigated and closed?
Close the associated ticket.
88
What is a key item to note when closing an incident ticket?
Categorization of the incident.
89
Why should metrics be noted in a structured way?
To help SOC managers allocate budget.
90
What should be done before selecting or changing an IMS?
Thoroughly test contenders with real-world scenarios.
91
Who should drive the testing of IMS contenders?
Analysts.
92
What should a SOC knowledgebase include?
Unstructured documents, reference info, and general storage.
93
What is essential for a knowledgebase to be useful?
Usability and ease of maintenance.
94
What is the first step in selecting the right technology?
Identify the opportunity.
95
What is the second step in selecting the right technology?
Define analysis criteria.
96
What is the third step in selecting the right technology?
Identify alternatives.
97
What is the fourth step in selecting the right technology?
Compare features & functionality.
98
What is a major element of security operations?
Technology
99
Why is it important to maintain governance over SOC technologies?
To manage changes and improvements
100
What must you quantify when investing in SOC technology?
Return on investment
101
What is MITRE's formal analysis process called?
Analysis of Alternatives (AoA)
102
What does AoA provide a framework for?
Evaluating and comparing solutions
103
What can help keep your decision data-driven and objective?
Using the AoA process as a reference
104
What did the US Government Accountability Office report about the Department of Defense?
Caused budget overruns by not evaluating alternatives
105
What can conducting a proper evaluation when selecting new tools help reduce?
Cost and operational risks
106
What are the five phases of the AoA process?
Identify opportunity, define criteria, identify alternatives, compare, report
107
What should strategic priorities inform?
Tool deployment and data collection
108
What can attack tree diagrams help with?
Brainstorming damaging attacks and planning defenses
109
What is a vital step in devising a threat-informed defense?
Using threat modeling output for planning
110
What tools are commonly used in SOCs?
EDR & XDR, SIEM, Threat Intelligence Platform, Incident Management System
111
What should be the goal when purchasing SOC tools?
Improve analyst workflow and organize detection data
112
What is the goal of the initial course section?
Understand what to purchase now and what can wait.
113
What is the first step in the core SOC process?
Data collection.
114
What will be reviewed in the systems-level model of the collection function?
Most important sources of log data.
115
What complicates data collection according to the text?
New encryption protocols.
116
What is crucial in the SOC process for effective detection and triage?
Appropriate data collection.
117
What does the collection system include?
Environment, Auditing, Collection Policy.
118
What is the first core function discussed in the text?
Data collection capability.
119
What happens between events being generated and collected?
Events are logged/recorded and centralized.
120
What influences whether events are recorded locally or centrally?
Auditing policy and collection policy.
121
What is the ideal collection system for security data?
Perfect Auditing Policy, Complete Collection.
122
What should be centralized in an ideal collection system?
Events of security value.
123
What major input influences the ability to detect attacks?
Threat intelligence.
124
What characterizes the realistic collection system in average organizations?
Imperfect Auditing Policy, Best effort Collection Policy.
125
Why might some important events not be recorded centrally?
Gaps in knowledge, affordability, visibility.
126
What drives the best effort solution in realistic collection systems?
Volume, access, threat intel.
127
What is a consequence of not having a proper auditing policy?
Inadequate attack detection capability.
128
What is the first step in setting up an effective system for attack detection?
Setting up an auditing policy and network infrastructure
129
What must thorough collection be matched with?
A solid centralization and collection strategy
130
Why is starting off with a good auditing and collection policy important?
It gives the best chance of attack detection downstream
131
What are the two components of complete collection?
Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM)
132
What does Network Security Monitoring (NSM) include?
Full packet capture and network metadata
133
What does Continuous Security Monitoring (CSM) include?
Endpoint/device-generated data and application/SaaS logs
134
What are the two major types of data in the collection function?
Network data and endpoint data
135
What does network data tell us?
Who is talking to whom, protocols used, and conversation content
136
What does endpoint and application data provide?
Details about processes and access nature
137
Why is it important to have both network and endpoint data?
Attackers may subvert endpoint data collection
138
What is a key aspect of audit policy in a SOC?
Flexibility, as collection needs may change
139
What drives log volume in a collection policy?
Collection policy
140
What should you consider when deciding what to collect?
Specific goals for collection
141
What are some goals for log collection?
IOC-based matching, advanced attack detection, audit, compliance
142
What is a common misconception about compliance and log collection?
That it means full collection of everything possible
143
What are the three common strategies for log centralization?
Input-driven, output-driven, and a balanced approach
144
What is the most cost-effective and high-performing way of collecting logs?
Output-driven collection
145
What is the hybrid collection approach?
Start input-driven, then reduce noise
146
What should be done with high-volume, likely not useful items?
Turn them off
147
What should be done with low-volume, potentially useful logs?
Leave them on
148
Which approach does the SANS Blue Team Operations curriculum recommend?
Hybrid approach
149
What is a key feature of the hybrid approach?
Emphasizes tactical collection
150
Why should your auditing and collection strategy be in constant flux?
To adapt to changing threats
151
What course is recommended for SIEM engineers and SOC analysts?
SEC555: SIEM with Tactical Analytics
152
What is a key to success in audit policy flexibility?
Fast approval process for changes
153
Why must your collection policy be nimble?
To keep up with attackers
154
What should be centrally managed in a nimble collection policy?
Audit policies
155
What should be fast-tracked in emergency situations?
Pushing changes
156
What is a benefit of having control over audit policy changes?
Maintain OODA loop pace
157
What is the goal of tactical collection?
Balance centralization and local storage
158
Why are PowerShell logs often not recorded?
They can be very high volume
159
What does FireEye recommend for logging PowerShell?
Centrally log specific events
160
What is an alternative if you can't centralize all logs?
Store them locally
161
What is the easiest method for log collection?
SIEM agent
162
What is the most customizable log collection method?
SIEM agent/Third-party agent
163
What is the built-in OS forwarding method for Windows?
Windows Event Forwarding
164
What is the built-in OS forwarding method for Linux?
Syslog Daemon (Rsyslog, Syslog-ng)
165
What should you consider when choosing a log collection method?
What you are optimizing for
166
What is a downside of packaged SIEM agents?
May lack advanced features
167
What is a suggested third-party log agent with a free edition?
NXLog
168
What is the built-in logging method for Linux/Unix?
syslog daemon
169
What is the built-in logging method for Windows?
Windows Event Forwarding
170
What is a benefit of using the OS's built-in logging method?
Path of least resistance
171
What can you set up if built-in logging methods are not an option?
Agentless pickup via remote system
172
What are the separable functions inside a SIEM?
Parsing, Filtering, Enrichment, Indexing, Storage
173
What does parsing in SIEM involve?
Breaking logs into constituent fields
174
What is the purpose of filtering in SIEM?
Decide if log is stored or discarded
175
What does enrichment in SIEM do?
Correlates logs with external data
176
What is the role of indexing in SIEM?
Index log entries for quick retrieval
177
Why is data quality important in SIEM?
Determines the usefulness of logs
178
What happens if data is not parsed correctly in SIEM?
SIEM can't understand it
179
What is categorization in SIEM?
Labeling events with tags
180
What is normalization in SIEM?
Standardizing field names across sources
181
What does data enrichment involve in SIEM?
Supplementing logs with additional context
182
What does enrichment help with in threat hunting?
Turns event logs into detailed threat hunting data
183
What are some highest-value host-based data sources?
Authentication events, process creation, IOC matches
184
Why do we need the output of security tools like antivirus?
They match known IOCs and provide high-fidelity detections
185
What makes a great starting point for detecting malicious activity?
Authentication events
186
What should SOCs look deeper into beyond brute force attempts?
Context of logins and their origins
187
What is a fast-acting detection for privileged accounts?
Identifying use outside expected locations
188
What information do host process creation events provide?
What ran, when, where, hash, signature, arguments
189
What are high-value items to monitor for malware persistence?
Autorun keys, installed services, scheduled tasks
190
Why is it important to compare autorun programs across an enterprise?
To find malicious items by ranking common autoruns
191
What are some highest-value network-based data sources?
Network service logs, proxy/web logs, DNS, DHCP
192
What do network service logs help with?
Identify anomalies during threat hunting
193
What do proxy and weblogs, DNS, and DHCP help us find?
What is on the network and where devices are going
194
What protocols help catch potential lateral movement?
SSH, SMB, PowerShell Remoting, VNC, RDP
195
What are some new challenges for network-based data collection?
TLS 1.3, DoH/DoT, HTTP/2 & 3, QUIC
196
What does TLS 1.3 enforce that affects traffic decryption?
Perfect forward secrecy
197
What is the impact of encrypted certificate details in TLS 1.3?
Cannot passively record certificate info
198
What does Encrypted Client Hello (ECH) hide?
Domain name, leaving only IP address visible
199
What is TLS 1.3?
A new TLS encryption standard released in 2018.
200
When was TLS 1.2 released?
2008
201
What does TLS 1.3 fix compared to TLS 1.2?
Many security issues present in TLS 1.2
202
What type of cipher suites does TLS 1.3 allow?
Only those providing "perfect forward secrecy" (PFS)
203
What is required to decrypt a TLS 1.3 connection?
Unique information from every TLS connection
204
How could traffic be decrypted in older standards?
With the server's private key
205
What must be present for the entire conversation in TLS 1.3?
The interception proxy
206
What certificate details are no longer visible in TLS 1.3?
Details for the site the user is connecting to
207
What field can still be used to detect the domain name in TLS 1.3?
The "SNI" field
208
What does Encrypted Client Hello (ECH) encrypt?
The entire "Client Hello" portion of a TLS handshake
209
What will be the only details left without decryption with ECH?
IP address and port
210
Who originally developed TLS fingerprinting?
Salesforce's security team
211
What is JA4 in TLS fingerprinting?
Client fingerprint
212
What is JA4S in TLS fingerprinting?
Server fingerprint
213
What does JA4 concatenate and hash?
Fields from "ClientHello" TLS packet
214
What can JA4 fingerprints help identify?
Good and bad connections without decryption
215
What can network security monitoring tools like Zeek create?
JA4 and JA4S hashes
216
What does JARM do differently from JA4?
Actively probes a server and fingerprints responses
217
How can JARM be used to identify malicious servers?
By creating a JARM fingerprint of the server
218
What is a potential risk of using endpoint telemetry over network layer visibility?
It may ruin your OPSEC.
219
What is a recommended action if you can't get approval for TLS decryption?
Deploy tools to check JA4 hashes.
220
What is DNS over HTTPS (DoH)?
DNS traffic over port 443 using TLS/HTTPS.
221
What does DoH mean for DNS traffic?
DNS traffic becomes indistinguishable from web traffic.
222
What is a security concern with DoH?
Blocking non-controlled DNS servers becomes harder.
223
What must you do to log DNS requests with DoH?
Intercept TLS or provide your own DoH server.
224
Which applications use DoH by default, bypassing system DNS settings?
Firefox.
225
How can you identify DoH traffic without decryption?
Check destination IP addresses of well-known DoH providers.
226
What should you search for to test normal uses of DoH on your network?
Port 443 traffic to known DNS server IPs.
227
What is a challenge with HTTP/2 and HTTP/3 for SOCs?
Interception is required to view the protocol.
228
Why is interception required for protocol analysis?
To even view the protocol.
229
What is a major challenge with HTTP/2 and HTTP/3 for SOCs?
They complicate data analysis.
230
How has data representation changed in HTTP/2 and HTTP/3?
It has drastically changed for performance.
231
What is a limitation of Wireshark with HTTP/2?
Cannot carve files out automatically.
232
What makes analysis of malicious activity over HTTP/2 and HTTP/3 difficult?
Guaranteed usage of encryption.
233
What did James Kettle's research at DEF CON 2021 reveal?
Issues with HTTP/2 in some applications.
234
What problem did James Kettle demonstrate with a SaaS vendor's application?
Users logged in as random others.
235
What is a challenge with NSM in the cloud?
Cloud collection options are less developed.
236
What level of visibility do most SOCs consider adequate for cloud assets?
Flow log-level visibility.
237
Which cloud platform has the most feature complete offerings for visibility?
AWS.
238
What is a key consideration for SOC data collection?
Clear goals and careful planning.
239
What must SOC managers be good stewards of?
Organization's data and investments.
240
What does the MITRE ATT&CK framework help with in SOCs?
Data source prioritization.
241
What can threat groups be translated into?
Tactics and techniques
242
What is the numeric identification scheme for mitigations in ATT&CK?
M####
243
What do group pages in the ATT&CK knowledge base list?
Techniques and software used
244
What are groups in the ATT&CK framework?
Sets of related attack campaigns
245
Give examples of named threat groups.
APT1, DarkHotel, Turla
246
What does the software category in ATT&CK enumerate?
Tools and open-source software used by attackers
247
What is the numeric identification scheme for software in ATT&CK?
S####
248
What do data sources in ATT&CK list?
Sources of information for detecting techniques
249
What new addition was made in ATT&CK v12?
Tracking individual campaigns
250
Which data source covers the most ATT&CK techniques?
Command execution
251
How many techniques does Command Execution cover?
155 techniques
252
What is the second most relevant data component after Command Execution?
Process Creation
253
What is the purpose of ATT&CK Navigator?
Identify priority attack techniques and detection gaps
254
What is the first step in using ATT&CK Navigator for assessments?
Make a layer for each threat group
255
What should be done after creating layers in ATT&CK Navigator?
Sum the layers to find highest numbers
256
What is the first step in using the ATT&CK Navigator application?
Make separate layers for each threat group
257
How does MITRE ATT&CK fill in techniques for threat groups?
Using its built-in knowledge
258
What does each technique receive in the ATT&CK Navigator?
A "score" to differentiate it
259
What is the result of adding all individual threat group layers together?
A super-layer of all threat group activities
260
What can you enter to take the analysis further in ATT&CK Navigator?
Data sources and mitigations
261
What emerges after combining threat layers with mitigation and data source layers?
A quick way to assess gaps in coverage
262
What is the difficult piece of the puzzle in detection?
Detection logic itself
263
What does MITRE's Cyber Analytics Repository provide?
Pre-made detection rules
264
What question does a SOC detection capability answer?
Can you detect technique x?
265
What complicates detection capabilities?
Nuance and different environments
266
What is the goal of tracking detection capabilities?
Track meaningful metrics
267
What should you consider when tracking detection capabilities?
Balance between details and simplicity
268
What is the DeTT&CT project?
Tools to label and visualize capabilities
269
What does the DeTT&CT script generate?
An ATT&CK Navigator layer
270
What is the GitHub URL for DeTTECT?
https://github.com/rabobank-cdc/DeTTECT
271
Who are the authors licensed to in the text?
David Newsome
272
What is the URL for MITRE ATT&CK for Enterprise?
https://attack.mitre.org/
273
What is the URL for Malware Archaeology Logging Cheat Sheets?
https://www.malwarearchaeology.com/cheat-sheets
274
What is the URL for Roberto Rodriguez's OSSEM Project?
https://github.com/OTRF/OSSEM
275
What is the first section in the Course Roadmap?
SOC Design and Operational Planning
276
What is the objective of Exercise 2.3?
ATT&CK Navigator for Attack Technique Prioritization
277
What is the ideal alert count scenario?
All true positives, zero false negatives
278
What are good causes for more alerts?
New tools, threat hunting
279
What are bad causes for fewer alerts?
Lack of visibility for attacks
280
What might increase alert count but be a good thing?
Detecting previously missed attacks
281
What is the goal of handling alerts in a SOC?
Drive down bad things, catch all true positives
282
What percentage of SOCs tune alerting features to reduce alert volume?
57%
283
What are two "bad" ways to handle too many alerts?
Turning off high-volume alerts, ignoring categories
284
What percentage of respondents hire more analysts to handle alerts?
38%
285
What is the goal for the alert queue size in a SOC?
Keep it at an average size of zero
286
What happens if alert generation rate exceeds triage rate?
Alert queue > 0
287
What is a basic formula for alert workload?
W = N * T
288
What are the key variables in triage capacity planning?
Average number of items, time per item
289
What is a method to estimate alert count for established teams?
Historical metrics
290
What is the best source of information for SOC's alert count history?
Historical metrics from your own SOC.
291
What can historical metrics help you understand about alerts?
Average number of alerts and variance.
292
For which SOCs is the historical metrics approach best suited?
SOCs with months to years of data.
293
Why is it important to understand the variance in alert counts?
It affects capacity planning.
294
What do you need to estimate alert counts accurately?
Worst-case, average, and lowest numbers.
295
What should SOCs without years of data do?
Combine existing data with other approaches.
296
What can SOCs use if they haven't started yet?
Survey data from others.
297
What is a drawback of using survey data for alert counts?
It can be wildly inaccurate.
298
What will replace survey data once SOC data starts coming in?
Historical averages.
299
How can you reduce inaccuracy in alert estimation?
Use alerts per person number.
300
What can probabilistic calculations help with?
Estimating minimum and maximum alert numbers.
301
What assumptions are key for probabilistic calculations?
Nature of alerts and time to address.
302
What is a major issue in defining "alert" for time calculation?
Not all alerts require evaluation.
303
Why are enormous alert numbers not useful for capacity planning?
They don't reflect reality.
304
What complicates capacity planning based on alert count?
Duplicates, false positives, simulations.
305
What is a significant factor in the makeup of alert populations?
Many alerts are not unique or malicious.
306
Why do alert counts from analysts often not match up?
Analysts deal with aggregated alerts, not single items.
307
What does the Poisson distribution help estimate in cybersecurity?
Bounds on the number of cyber attacks.
308
What is a key characteristic of alerts in security operations?
Alerts are not 1:1 with potential issues.
309
What should be counted to better predict time required for investigations?
Count "potential issues" investigated.
310
What is the main goal of measuring aggregated issues?
To understand time spent on investigations.
311
What is a Poisson process?
Events occur randomly at a constant average rate.
312
Why is the Poisson distribution useful despite not being perfect?
Leads to better conclusions than guessing.
313
What is the relationship between the Poisson and binomial distributions?
Poisson is a specific case of binomial.
314
What is the Poisson distribution used for in SOCs?
Estimating expected rate of randomly occurring events.
315
What can be predicted if cyber attacks are assumed to be a Poisson process?
Average number of issues per day and bounds.
316
What does the upper left chart show for a SOC averaging two issues per day?
Distribution of alerts per day.
317
What percentage of days will a SOC with two issues per day see 0 alerts?
17% of days.
318
What is the probability of seeing 1 alert per day in a SOC with two issues per day?
27% of days.
319
What is the probability of seeing 2 alerts per day in a SOC with two issues per day?
27% of days.
320
How often will a SOC with two issues per day see 3 alerts?
18% of days.
321
How often will a SOC with two issues per day see 4 alerts?
9% of days.
322
How often will a SOC with two issues per day see 5 alerts?
4% of days.
323
How often will a SOC with two issues per day see 6 alerts?
1% of days.
324
How often will a SOC with two issues per day see 7 alerts?
0.3% of days.
325
How can capacity planning be estimated with Poisson distribution?
By estimating issue count.
326
What is a critical variable in capacity planning using Poisson distribution?
Issue count.
327
What should a SOC do if staff can handle the worst days predicted?
No problem handling expected volume.
328
What is a limitation of using Poisson distribution for issue count?
Doesn't address average time to deal with issues.
329
Where can you create interactive Poisson distribution charts?
Google or WolframAlpha.
330
What is the POISSON.DIST function used for in Excel?
Building Poisson distribution models.
331
What does the "cumulative" variable in POISSON.DIST determine?
Cumulative percentage up to that point.
332
What does using FALSE for the cumulative variable in POISSON.DIST show?
Probability of specific number of alerts.
333
What is shown by the cumulative distribution function?
Cumulative probability up to a point.
334
What should you do if you have data on investigation times?
Group by category, graph, and find distribution.
335
What should you do if you don't have data on investigation times?
Use probabilistic modeling and surveys.
336
What should be estimated to understand alert volume?
Minimum, average, and high-volume alert days
337
What should be leveraged for estimating alert times?
Existing data
338
What will be discussed over the next few slides?
Sub-dividing alerts and estimating times
339
What does grouping triaged items by time show?
Multiple clusters of items
340
What is not a completely random variable?
Triage time
341
What tends to have an independent average time?
Items of one nature
342
What leads to large margins of error in prediction?
Using whole population average
343
What helps in better understanding alert times?
Breaking data into smaller groups
344
What emerges from showing types of alerts in a histogram?
Detailed and nuanced picture
345
What aligns well when further grouped by alert type?
Time taken to deal with alerts
346
What is better than knowing the overall average alert time?
Average and variance for each type
347
What allows more accurate workload prediction?
Detailed alert type data
348
What may lead to diminishing returns?
Getting too fancy with data breakdown
349
What are some options for estimating time?
Surveys, normal/log-normal, uniform, beta distributions
350
What is a good starting place for modeling alert times?
Log-normal distribution
351
What does survey data provide for estimating times?
Base data to start with
352
What do most analysts self-report about investigation times?
Twenty minutes or less
353
What might allow probabilistic estimation for investigation timing?
Choosing a good model like Poisson
354
What stands out as a good distribution for alert times?
Log-normal distribution
355
What is a log-normal distribution best used for?
Skewed data with no negative values
356
What does the log-normal distribution prevent?
Negative investigation times
357
What analysis is used to simulate total time required?
Monte Carlo analysis
358
What is the starting point for estimating time required for alerts?
Log-normal distribution
359
What tool can be used to subdivide alert types and categories for detailed estimates?
Excel
360
What is the easiest method for running capacity planning simulations?
Monte Carlo analysis
361
What does Monte Carlo analysis simulate for capacity planning?
Simulated distributions for count and time
362
What does Monte Carlo analysis produce besides an average?
A range of total time needed
363
What should be defined before running capacity planning calculations?
Exactly what is being calculated
364
What type of data should be used in capacity planning?
Historical data
365
What should be looked for in capacity planning besides averages?
Ranges
366
What distribution is used to understand expected investigation time?
Log-normal distribution
367
What distribution is used to bound expectations of alert count?
Poisson distribution
368
What is a key security consideration for SOC members?
Keeping SOC members safe
369
What should be separated to secure SOC data?
Separate SOC data and accounts
370
What is a nightmare scenario for SOC managers and security teams?
Attacker leveraging SOC infrastructure
371
What must be avoided to prevent a compromise of the security team?
Separate SOC data and accounts
372
Roles a SOC analyst must play
Normal employee, privileged user, investigator
373
Why is separation of accounts and assets important?
To safely perform different roles
374
What tasks might a SOC analyst perform?
Reading email, downloading files, browsing internet
375
What access might SOC analysts have?
Sensitive data, power to make changes
376
How can analysts operate safely in different roles?
Separate accounts and assets
377
Why separate accounts and computers for SOC analysts?
To prevent role-based mistakes
378
What is one risk of a single machine/account for SOC analysts?
Easy escalation for attackers
379
What happens if an analyst's machine is compromised?
All credentials can leak
380
What is the benefit of separate machines and accounts?
Prevents privilege escalation
381
What is a drawback of using separate machines and accounts?
Increased complexity and reduced productivity
382
How can secure workstations be further protected?
Firewalling and hardened configurations
383
What if authentication systems are compromised?
Leads to access to all security info
384
What could mitigate domain controller compromise?
Separate authentication systems
