Security Operations Part I

Question 1

TPM

Answer 1

Trusted Platform Module:
- build into motherboard
- stores encyrption keys locally (some keys)
- supports BitLocker, Secure Boot
- Keys never leave the chip
- not scalabe
- used on 1 device

Question 2

HSM

Answer 2

Hardware Security Module:
- Used in data centers, clouds
- stores millions of encrypted keys
- scalable
- used in banks, enterprises

Question 3

UEFI

Answer 3

Unified Extensible Firmware Interface:

+ replacement for BIOS
+ faster boot times
+ supports Secure Boot
+required for BitLocker with Security Boot

Question 4

Secure Boot

Answer 4

*UEFI feature
*allows only trusted software to run during setup
*verifies drives using digital signatures
* blocks rootkits, bootkits (malware)
* cryptographics keys (PK, KEK< db, dbx)
*works with TPM for Measured Boot & Attestation

Question 5

Whitelisting✔️

Answer 5

Only approved apps can run ✔️

Question 6

Blacklisting❌

Answer 6

blocks untrusted apps ❌

Question 7

Application hardening🤷

Answer 7

removing unnecessary features, code, access so attackers have less things to target. 🤷

Question 8

Antimalware🦠

Answer 8

Antyvirus 2.0
basic protection, blocks known threats🦠

Question 9

EDR 🦠

Answer 9

Endpoint Detenction and Response:
Advanced security detects, responds, analizes, even if threat is unknown 🦠

Question 10

Network segmentation

Answer 10

Isolate critial systems with VLANs, firewalls, DMZs

Question 11

NAC

Answer 11

Network Access Control

Network gatekeeper :)

= checks device identity and security posture✅
= allows or blocks access✅

Question 12

Degaussing 💿

Answer 12

data destruction method to wipe magnetic storage (HDDs, tapes) 💿

• does not work on SSDs

Question 13

Asset inventory 💻🖥️

(what is does?)

Answer 13

Tracks all assets in a company. Hardware & Software, people. 💻🖥️

Question 14

CMDB 🧑‍🤝‍🧑

Answer 14

Configuration Management Database:

Tracks configurations, owners, relatioships between devices, dependencies, change history, etc. 🧑‍🤝‍🧑

Question 15

Assets (?)

Answer 15

Everything valuable to company that needs protection:
- IT devices
- data
- cloud services (VMs)
- people
- certificates, keys

Question 16

CVSS

Answer 16

Common Vulnerability Scoring System (0 -10)

+ scores how big vulnerability is
+ 9-10 is critical
+ helps prioritize patching

0.1-3.9 - low
4.0-6.9 - medium
7.0-8.9 - high
9.0-10.0 - critical

Question 17

Remediation

Answer 17

You found the vulnerability now eliminate it :))

Question 18

Compensate, Mitigation

Answer 18

buy time or limit damage cuz you cant fix the issue directly

Question 19

penetration test

Answer 19

simulating real world cyberattack (hiring ethical hackers to hack their company)

Question 20

WAF

Answer 20

Web Application Firewall

Question 21

Endpoints

Answer 21

user devices connected to the network (laptop, phone, printer)

Question 22

SIEM 🧠

Answer 22

Security Information and Event Management:

• Central Brain 🧠
• stores, collects, analizes logs from everywhere (firewalls, endpoints, servers)
  *sends allerts
• “Log centralization” + detection + analysis + alerting

Question 23

EDR 💻

Answer 23

Can isolate infected devices and roll back damage

Endpoint Detection and Response: 💻

• “Endpoint Bodyguard”
  Watches Endponts (laptops, desktops, servers) for malware and sus activity

Question 24

NDR 🌐

Answer 24

Network Detection and Response: 🌐

@ Network Watchtower
@ Watches the network for threats and lateral movement
@ east-west network traffic surveillance

Question 25

HIDS/HIPS 🕵️

Answer 25

Host-Based/Network-based Intrustion Detection/Prevention Systems: 🕵️ | HIDS monitores files, logs on a SINGLE device | NIDS analyzes network traffic in real time |OLD but uself for known threats | "Classic Detectives"

Question 26

SOAR🤖

Answer 26

Security Orchestration, Automation and Response: 🤖 ~ "The Automation Hero" ~automates responses across multiple tools ~ isolating endpoints, sending alerts ~SIEM detects, SOAR acts ‼️

Question 27

UEBA 🧍

Answer 27

User and Entity Behavior Analytics:🧍 🧷 "Sus user behavior 🧷 "whos acting weird???" 🧷 Uses AI/ML to find behaviour anomalies - user logging at 3 am

Question 28

Automation

Answer 28

Individual tasks performed by system without human interaction do humans can do focus on other things. 🧷blocks IP after 5 failed login attempts 🧷 remove human error, improve efficency

Question 29

Orchestration ⭐

Answer 29

Coordinating multiple automated tasks across different systems into a unified workflow ⭐ ⭐ Focus on hard, multi-steps problems from start to finish ⭐ Malware is detected → system isolates the host → forensics tool collects evidence → alert sent to SOC team → IR ticket created ⭐ SOAR = Automation + Orchestration + Response ⭐ chain of actions, workflow

Question 30

IR steps (6 steps) 📢

Answer 30

Incident Response steps: 1. Preparation 2. Detection and Analysis 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned (Post-Incident Acticity)

Question 31

1. Preparation 🥒

Answer 31

🥒 Be ready. Before the attack occurs 🥒 Develop IR team (IRT or CSIRT) 🥒 communication protocols 🥒 security tools - SIEM, IDS/IPS, EDR 🥒 Create IRP (IR plan) 🥒logging and monitoring

Question 32

2. Detection and Analysis 🪐

Answer 32

🪐Recognize and confirm the incident ❗ 🪐SIEM alerts, IDS/IPS logs, Antivirus, user reports, monitoring dashboards 🪐 validate the incident (false or positive) 🪐 determine the scope of it 🪐document it 🪐 Categorize severity (low or high) 🪐start the incident ticket

Question 33

3. Containment 🔒

Answer 33

🔒 stop the SPREAD ❗ 🔒isolate infected devices 🔒 block malicious IPs 🔒 disable compromised accounts 🔒 take systems offline

Question 34

4. Eradicatoin ☠️

Answer 34

☠️ELIMINATE the threat completely ❗ ☠️remove malware ☠️ patch systems ☠️remove backdoors ☠️ reimage systems

Question 35

5. Recoverty 🎗️

Answer 35

🎗️ bring systems back to safety❗ 🎗️ clean backups 🎗️ monitor for re-infection

Question 36

6. Lessons Learned 👩🏿‍🏫

Answer 36

👩🏿‍🏫Post Incident review and documentation❗ 👩🏿‍🏫Incident report 👩🏿‍🏫 Update IRP

Question 37

Forensics (whats that)

Answer 37

Identifying, collecting, analyzing evidence post indicent(attack)

Question 38

Key Goals of Forensic Investigation 🔑

Answer 38

1. identify 🔑 2. preserve ( the integrity of the evidence) 3. analyze (the data to find the root cause) 4. report ( findings in a legally defensible manner)

Question 39

Chain of Custody ⛓️

Answer 39

⛓️ Detaild log of who handled the evidence, when and what they did, to prove it wasn't tampered with - so it can be legally valid in court. ⛓️‍💥 who touched the evidence ⛓️‍💥 when and where ⛓️‍💥 why it was accessed ⛓️‍💥 how it was secured

Question 40

DNS logs🫧 (what it shows?)

Answer 40

🫧 sus domain lookups 🫧identify connections to malicious domains

Question 41

Firewall logs 🔥 (what it shows?)

Answer 41

🔥blocked/allowed traffic, ports, IPs 🔥detect port scanning

Question 42

IDS/IPS logs🚒 (what it shows?)

Answer 42

🚒 detected attacks or anomalies 🚒 detected SQL injection or buffer overflow

Question 43

NetFlow /SFlow data🛜 (what it shows?)

Answer 43

🛜 metadata about traffic (IP pairs, ports, bytes) 🛜 who talked to who on the network 🛜 how much data was transfered

Question 44

Application logs 🤳🏿 (what it shows?)

Answer 44

🤳🏿app specific behavior 🤳🏿help debug software 🤳🏿catch errors 🤳🏿 track app misuse

Question 45

SIEM logs 📶 (what it shows?)

Answer 45

📶 correlate all logs for broader context 📶 aggregates logs 📶 supports automated responses 📶 correlates events

Question 46

System logs (Event logs)⌨️ (what it shows?)

Answer 46

⌨️ login attempts ⌨️ logouts ⌨️ policy changes ⌨️ system crashes

Question 47

EDR logs 🖥️ (what is shows)

Answer 47

🖥️ malware infections 🖥️ransomware 🖥️ endpoint threats

Question 48

System Performance Logs 👺 (what is shows)

Answer 48

👺 detect DDoS 👺hardware-related performance issues