Lesson 17 Flashcards

Question

4. Exploitation

Answer 1

4. Exploitation—the weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention.

Answer 2

5. Installation—this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.

Answer 3

6. Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.

Answer 4

7. Actions on objectives—in this phase, the attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.

Answer 5

Another atack framework MITRE ATT&CK •Database of TTPs •Tactic categories •No explicit sequencing

Answer 6

Another Attack framework •Framework for describing adversary capability and infrastructure plus effect on victim

Answer 7

Tabletop •Facilitator presents a scenario •Does not involve live systems - Least costly Walkthroughs •Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany's actual response and recovery tools.) Simulations •Red team performs a simulated intrusion - Simulations—a simulation is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

Answer 8

Tabletop •Facilitator presents a scenario •Does not involve live systems - Least costly

Answer 9

Walkthroughs •Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany's actual response and recovery tools.)

Answer 10

Simulations •Red team performs a simulated intrusion - Simulations—a simulation is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning

Answer 11

Incident response versus disaster recovery and business continuity •Disaster recovery plan •Response and recovery planning for major incidents •Business continuity plan •Making business procedures resilient •Continuity of operation planning (COOP)

Answer 12

* Disaster recovery plan * Response and recovery planning for major incidents ``` Disaster recovery plan—a disaster can be seen as a special class of incident where the organization's primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. Disaster recovery will involve a wider range of stakeholders than less serious incidents. ```

Answer 13

* Business continuity plan * Making business procedures resilient Business continuity plan (BCP)—this identifies how business processes should deal with both minor and disaster-level disruption. During an incident, a system may need to be isolated. Continuity planning ensures that there is processing redundancy supporting the workflow, so that when a server is taken offline for security remediation, processing can failover to a separate system. If systems do not have this sort of planned resilience, incident response will be much more disruptive.

Answer 14

• Continuity of Operation Planning (COOP)—this terminology is used for government facilities, but is functionally similar to business continuity planning. In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.

Answer 15

Incident response, forensics, and retention policy •Digital forensics requirements •Retention policies for evidence preservation The incident response process emphasizes containment, eradication, and recovery. These aims are not entirely compatible with forensics. Digital forensics describes techniques to collect and preserve evidence that demonstrate that there has been no tampering or manipulation. Forensics procedures are detailed and time-consuming, where the aims of incident response are usually urgent. If an investigation must use forensic collection methods so that evidence is retained, this must be specified early in the response process. Retention policy is also important for retrospective incident handling, or threat hunting. A retention policy for historic logs and data captures sets the period over which these are retained. You might discover indicators of a breach months or years after the event. Without a retention policy to keep logs and other digital evidence, it will not be possible to make any further investigation.

Answer 16

Identification is the process of collating events and determining whether any of them should be managed as incidents or as possible precursors to an incident; that is, an event that makes an incident more likely to happen

Answer 17

an event that makes an incident more likely to happen

Answer 18

Using log files, error messages, IDS alerts, firewall alerts, and other resources to establish baselines and identifying those parameters that indicate a possible security incident.

Answer 19

• Manual or physical inspections of site, premises, networks, and hosts.

Answer 20

• Notification by an employee, customer, or supplier.

Answer 21

Public reporting of new vulnerabilities or threats by a system vendor, regulator, the media, or other outside party.

Answer 22

It is wise to provide for confidential reporting so that employees are not afraid to report insider threats, such as fraud or misconduct. It may also be necessary to use an "out-of-band" method of communication so as not to alert the intruder that his or her attack has been detected.

Answer 23

Member of CIRT taking charge of a reported incident

Answer 24

Analysis and incident identification •Classify and prioritize •Downgrade low priority alerts to log-only

Answer 25

Analysis and incident identification •Classify and prioritize •Downgrade low priority alerts to log-only When notification has taken place, the CIRT or other responsible person(s) must analyze the event to determine whether a genuine incident has been identified and what level of priority it should be assigned. Analysis will depend on identifying the type of incident and the data or resources affected (its scope and impact). At this point, the incident management database should have a record of the event indicators, the nature of the incident, its impact, and the incident investigator responsible. The next phase of incident management is to determine an appropriate response.

Answer 26

Coupled with an attack framework, notification will provide a general sense of where to look for or expect indicators of malicious activity. Incident analysis is greatly facilitated by a security information and event management (SIEM) system. A SIEM parses network traffic and log data from multiple sensors, appliances, and hosts and normalizes the information to standard field types.

Answer 27

Correlation •Static rules and logical expressions •Threat intelligence feeds •AI-assisted analysis The SIEM can then run correlation rules on indicators extracted from the data sources to detect events that should be investigated as potential incidents. You can also filter or query the data based on the type of incident that has been reported. Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team.

Answer 28

A SIEM correlation rule is a statement that matches certain conditions. These rules use logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains). For example, a single-user logon failure is not a condition that should raise an alert. Multiple user logon failures for the same account, taking place within the space of one hour, is more likely to require investigation and is a candidate for detection by a correlation rule. Error.LogonFailure > 3 AND LogonFailure.User AND Duration < 1 hour

Answer 29

As well as correlation between indicators observed on the network, a SIEM is likely to be configured with a threat intelligence feed. This means that data points observed on the network can be associated with known threat actor indicators, such as IP addresses and domain names. AI-assisted analysis enables more sophisticated alerting and detection of anomalous behavior.

Answer 30

Retention •Preserve evidence of attack •Facilitate threat hunting and retrospective incident identification A SIEM can enact a retention policy so that historical log and network traffic data is kept for a defined period. This allows for retrospective incident and threat hunting, and can be a valuable source of forensic evidence.

Answer 31

Analyst dashboard •Console of alerts that require prioritization and investigation Manager dashboard •Overall status indicators Sensitivity and alerts •Log only/alert/alarm Sensors •Source for network traffic data •Aggregate data under one dashboard •Per-sensor dashboards

Answer 32

Analyst dashboard | •Console of alerts that require prioritization and investigation

Answer 33

•Overall status indicators

Answer 34

Sensitivity and alerts •Log only/alert/alarm One of the greatest challenges in operating a SIEM is tuning the system sensitivity to reduce false positive indicators being reported as an event. This is difficult firstly because there isn't a simple dial to turn for overall sensitivity, and secondly because reducing the number of rules that produce events increases the risk of false negatives. A false negative is where indicators that should be correlated as an event and raise an alert are ignored. The correlation rules are likely to assign a criticality level to each match. For example: • Log only—an event is produced and added to the SIEM's database, but it is automatically classified. • Alert—the event is listed on a dashboard or incident handling system for an agent to assess. The agent classifies the event and either dismisses it to the log or escalates it as an incident. • Alarm—the event is automatically classified as critical and a priority alarm is raised. This might mean emailing an incident handler or sending a text message.

Answer 35

Sensors •Source for network traffic data •Aggregate data under one dashboard •Per-sensor dashboards A sensor is a network tap or port mirror that performs packet capture and intrusion detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources, but it might also be appropriate to configure dashboards that show output from a single sensor or source host.

Answer 36

Trend analysis is the process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events. A trend is difficult to spot by examining each event in a log file. Instead, you need software to **visualize** the incidence of types of event and show how the number or frequency of those events changes over time.

Answer 37

Frequency-based trend analysis establishes a baseline for a metric, such as number of NXERROR DNS log events per hour of the day. If the frequency exceeds (or in some cases undershoots) the threshold for the baseline, then an alert is raised.

Answer 38

Volume-based trend analysis can be performed with simpler indicators. For example, one simple metric for determining threat level is log volume. If logs are growing much faster than they were previously, there is a good chance that something needs investigating. Volume-based analysis also applies to network traffic. You might also measure endpoint disk usage. Client workstations don’t usually need to store data locally, so if a host's disk capacity has suddenly diminished, it could be a sign that it is being used to stage data for exfiltration.

Answer 39

Statistical deviation analysis can show when a data point should be treated as suspicious. For example, a cluster graph might show activity by standard users and privileged users, invoking analysis of behavioral metrics of what processes each type runs, which systems they access, and so on. A data point that appears outside the two clusters for standard and administrative users might indicate some suspicious activity by that account.

Answer 40

Just remember these are Logging platforms ``` Syslog •Logging format, protocol, and server (daemon) software •PRI –facility and severity •Timestamp •Host •Message part ``` Rsyslog and syslog-ng journalctl •Binary logging Nxlog •Log normalization tool

Answer 41

``` System and security logs •Application •Security/audit •System •Setup •Forwarded events ``` One source of security information is the event log from each network server or client. When events are generated, they are placed into log categories. These categories describe the general nature of the events or what areas of the OS they affect. The five main categories of Windows event logs are: • Application—events generated by applications and services, such as when a service cannot start. • Security—audit events, such as a failed logon or access to a file being denied. • System—events generated by the operating system and its services, such as storage volume health checks. • Setup—events generated during the installation of Windows. • Forwarded Events—events that are sent to the local log from other hosts.

Answer 42

Network logs •Traffic and access data from network appliances Network logs are generated by appliances such as routers, firewalls, switches, and access points. Log files will record the operation and status of the appliance itself—the system log for the appliance—plus traffic and access logs recording network behavior, such as a host trying to use a port that is blocked by the firewall, or an endpoint trying to use multiple MAC addresses when connected to a switch.

Answer 43

Authentication logs •Security log or RADIUS/TACACS+ application logs Authentication attempts for each host are likely to be written to the security log. You might also need to inspect logs from the servers authorizing logons, such as RADIUS and TACACS+ servers or Windows Active Directory (AD) servers.

Answer 44

A vulnerability scan report is another important source when determining how an attack might have been made. The scan engine might log or alert when a scan report contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have not been patched or configuration weaknesses that have not been remediated. These can be correlated to recently developed exploits.

Answer 45

An application log file is simply one that is managed by the application rather than the OS. DNS event logs •Types of queries made by clients •Hosts using suspicious IP address ranges or domains •Statistical anomalies Web/HTTP access logs •HTTP status codes •HTTP headers VoIP and call managers and Session Initiation Protocol (SIP) traffic •Log endpoint connections •Type of connection •Via headers Dump files •Data from system memory

Answer 46

DNS event logs •Types of queries made by clients •Hosts using suspicious IP address ranges or domains •Statistical anomalies A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence, such as: • The types of queries a host has made to DNS. • Hosts that are in communication with suspicious IP address ranges or domains. • Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.

Answer 47

Web/HTTP access logs •HTTP status codes •HTTP headers Web servers are typically configured to log HTTP traffic that encounters an error or traffic that matches some predefined rule set.....

Answer 48

VoIP and call managers and Session Initiation Protocol (SIP) traffic •Log endpoint connections •Type of connection •Via headers The call manager's access log can be audited for suspicious connections.

Answer 49

Dump files •Data from system memory System memory contains volatile data. A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device.

Answer 50

Metadata is the properties of data as it is created by an application, stored on media, or transmitted over a network. A number of metadata sources are likely to be useful when investigating incidents, because they can establish timeline questions, such as when and where, as well as containing other types of evidence. File •Date/time and security attributes •Extended attributes and properties Web •Request and response headers Email •Internet header listing message transfer agents •Spam/security analysis Mobile •Call detail records (CDRs)

Answer 51

File •Date/time and security attributes •Extended attributes and properties File metadata is stored as attributes. The file system tracks when a file was created, accessed, and modified. A file might be assigned a security attribute, such as marking it as read-only or as a hidden or system file. The ACL attached to a file showing its permissions represents another type of attribute. Finally, the file may have extended attributes recording an author, copyright information, or tags for indexing/searching.

Answer 52

Web •Request and response headers When a client requests a resource from a web server, the server returns the resource plus headers setting or describing its properties. Also, the client can include headers in its request. One key use of headers is to transmit authorization information, in the form of cookies. Headers describing the type of data returned (text or binary, for instance) can also be of interest. The contents of headers can be inspected using the standard tools built into web browsers. Header information may also be logged by a web server.

Answer 53

Email •Internet header listing message transfer agents •Spam/security analysis An email's Internet header contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them. When

Answer 54

Mobile •Call detail records (CDRs) Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and attempted calls and SMS text time, duration, and the opposite party's number. Metadata will also record data transfer volumes.

Answer 55

I didn't really get this one, so i skipped it. Network data is typically analyzed in detail at the level of individual frames or using summary statistics of traffic flows and protocol usage. Protocol analyzer output •Pivot from alert event to per-packet or frame analysis •Extract binary data Netflow/IPFIX •Records traffic statistics •Flows defined by endpoints and ports (keys) •Netflowexporters and collectors sFlow •Uses sampling to estimate statistics •Bandwidth monitor

Answer 56

Response must satisfy different or competing objectives •What is the loss or potential for loss? •What countermeasures are available? •What evidence can be collected? When an incident has been identified, classified, and prioritized, the next phase of incident response is containment. Containment techniques can be classed as either isolation-based or segmentation-based.

Answer 57

isolation based or | segmentation basedbased

Answer 58

``` Isolation-based containment •Remove the affected system •Disconnect hosts from power •Prevent hosts communicating on network •Disable user accounts or applications ```

Answer 59

Segmentation-based containment •Use sinkhole or sandbox to analyze attack ....As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully. Analysis of the malware code by reverse engineering it could provide powerful deception capabilities. You

Answer 60

* Eradication of attack tools and access methods * Recovery of systems to restore the operation of business workflows Includes the following steps: 1Reconstitution of affected systems 2Re-audit security controls –what could have prevented the intrusion? 3 Notify affected third parties

Answer 61

* Analyzeattack to determine vector * Reduce attack surface through configuration changes * New security control * Update existing control configuration

Answer 62

Historically, many organizations focused on ingress filtering rules, designed to prevent local network penetration from the Internet. In the current threat landscape, it is imperative to also apply strict egress filtering rules to prevent malware that has infected internal hosts by other means from communicating out to C&C servers. Egress filtering can be problematic in terms of interrupting authorized network activity, but it is an essential component of modern network defense

Answer 63

Secure web gateway for egress filtering •Update URL/content filtering using threat data Data loss prevention (DLP) •Identify whether DLP mechanisms were circumvented Mobile device management (MDM) •Identify whether MDM mechanisms were circumvented Update or revoke certificates • Remove compromised root certificates from trust stores •Revoke certificates on compromised hosts •Re-key certificate

Answer 64

Secure web gateway for egress filtering •Update URL/content filtering using threat data A SWG mediates user access to Internet services, with the ability to block content from regularly updated URL/domain/IP blacklists and perform intrusion detection/prevention on traffic based on matching content in application layer protocol headers and payloads.

Answer 65

Data loss prevention (DLP) •Identify whether DLP mechanisms were circumvented Data loss prevention (DLP) performs a similar function, but instead of user access it mediates the copying of tagged data to restrict it to authorized media and services. An attack may reveal the necessity of investing in DLP as a security control if one is not already implemented. If DLP is enabled and configured in the correct way to enforce policy, the attacker may have been able to circumvent it using a backdoor method that the DLP software cannot scan. Alternatively, the attacker may have been able to disguise the data so that it was not recognized.

Answer 66

Mobile device management (MDM) •Identify whether MDM mechanisms were circumvented Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM's policy templates.

Answer 67

Update or revoke certificates •Remove compromised root certificates from trust stores •Revoke certificates on compromised hosts •Re-key certificate

Answer 68

``` Re-assess attack surface and attack vectors •Social engineering •Vulnerabilities •Lack of security controls •Configuration drift •Weak configuration ``` Application allow lists/block lists •Change to least privilege •Identify failure of controls to prevent execution Quarantine •Isolate suspect systems for analysis in sandbox

Answer 69

* Automation versus orchestration * Security orchestration, automation, and response(SOAR) * Incident response * Threat hunting * Integrates SDN/SDV APIs, orchestration tools, and cyber-threat intelligence (CTI) feeds * AI-assisted user and entity behavioranalytics (UEBA) * Runbooks versus playbooks

Answer 70

Automation is the action of scripting a single activity, while orchestration is the action of coordinating multiple automations (and possibly manual activity) to perform a complex, multistep task.

Answer 71

Security orchestration, automation, and response(SOAR) •Incident response •Threat hunting SOAR is designed as a solution to the problem of the volume of alerts overwhelming analysts' ability to respond, measured as the mean time to respond (MTTR). A SOAR may be implemented as a standalone technology or integrated with a SIEM—often referred to as a next-gen SIEM. The basis of SOAR is to scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Answer 72

SOAR can also assist with provisioning tasks, such as creating and deleting user accounts, making shares available, or launching VMs from templates, to try to eliminate configuration errors. The SOAR will use technologies such as cloud and SDN/SDV APIs, orchestration tools, and cyberthreat intelligence (CTI) feeds to integrate the different systems that it is managing.

Answer 73

SOAR will also leverage technologies such as automated malware signature creation and user and entity behavior analytics (UEBA) to detect threats.

Answer 74

A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. The aim of a runbook is to automate as many stages of the playbook as possible, leaving clearly defined interaction points for human analysis.

Answer 75

* Machine learning relies on training data to develop analysis capability * Threat actor may be able to submit tainted samples * Adversarial AI * Security of machine learning algorithms

Lesson 17 Flashcards

(99 cards)