Week 3

Question 1

What is the assumption behind SOIM?

Answer 1

The assumption is that we can’t, or won’t, fully protect our cyber environment

Question 2

What is the MAPE-K model for cybersecurity?

Answer 2

Monitor, Analyse, Plan, Execute - Knowledge

Question 3

What could be described as an architecture for adaptive systems?

Answer 3

MAPE-K
It is like an event-driven loop

Question 4

What are the three workflows of SOIM?

Answer 4

-IDPS
-SIEM
-SOAR

Question 5

What is CTI?

Answer 5

Cyber Threat Intelligence: Detailed knowledge of threats against an organisation

Question 6

What is ISAC?

Answer 6

Information Sharing and Analysis Centers: Organisations that gather data on security threats

Question 7

Why is it so crucial to maintain an internal knowledge base?

Answer 7

To be able to cross-reference events with known intelligence

Question 8

What is an example of an open, commercial database of cybersecurity intelligence?

Answer 8

Mitre ATT&CK

Question 9

Why are honeypots important to SOIM?

Answer 9

We can learn both about hacker techniques as well as who they are

Question 10

What are examples of CTI that should be shared?

Answer 10

Signatures for different platforms, snort rule sets, YARA signature exchange, Indicators of Compromise (IoC)

Question 11

What official European body can help increase our situational awareness of current cyber threats?

Answer 11

ENISA

Question 12

Incident response is roughly divided into two tasks:

Answer 12

-Establishing capabilities
-Incident handling

Question 13

Who should be part of a Computer Security Incident Response Team (CSIRT)?

Answer 13

Technical staff, legal, public relations, HR

Question 14

Which five things should be part of the incident response plan?

Answer 14

-Incident classification
-Response list
-Resources available
-Communication plan (who to talk to and when)
-Contingency plan (prioritisation)

Question 15

What types of resources need to be easily available during an incident response?

Answer 15

-Backup internet connection
-Backup recovery plan
-Empty removable storage
-Backup power
-Backup laptops with correct tools
-Evidence gathering gear

Question 16

What is investigated during the analysis part of MAPE-K?

Answer 16

The nature of the incident and the damage caused

Question 17

What are examples of tasks that can be done to mitigate damage?

Answer 17

-Cutting the network
-Applying security patches
-Reinstalling machines
-Shutting down services

Question 18

Why is communication an important part of incident response?

Answer 18

Legal and compliance reasons as well as maintaining trust

Question 19

What is an important activity to do after an incident?

Answer 19

Measure the performance of the incident handling to learn from it

Question 20

Where might we source the data from the monitoring phase of MAPE-K?

Answer 20

IDPS, Firewalls, Clients, Servers, other network equipment

Question 21

What is a rule-based system often used during the monitoring phase of MAPE-K?

Answer 21

Snort

Question 22

What are the four modes of Snort?

Answer 22

-Sniffer
-Packet logger
-IDPS
-PCAP Investigation

Question 22

What is an example of a system that aggregates log data from different sources during the monitoring phase?

Answer 22

SIEM (Security Information and Event Management)

Question 23

What is a tool that can be used during the analysing phase to make sense of the data that has been gathered?

Answer 23

ELK

Question 24

What are the two broad methods for data analysis?

Answer 24

-Misuse detection -Anomaly detection

Question 25

What is misuse detection dependent on?

Answer 25

DEFINITIONS of harmful code/behaviour/traffic

Question 26

What are the benefits and drawbacks of misuse detection?

Answer 26

Cheap and easy to implement but it has difficulty identifying new events

Question 27

What does anomaly detection rely on?

Answer 27

MODELS, often statistical, that define normal behaviour

Question 28

Which method of data analysis gives events a score that reflects how normal they are?

Answer 28

Anomaly detection - it then comes with a threshold that when reached sends off an alarm

Question 29

What is a false positive alarm?

Answer 29

Alert is raised for a benign event

Question 30

What is a true negative alarm?

Answer 30

Alert is not raised for a benign event

Question 31

Which phase in addition to the analysing phase is covered by the SIEM?

Answer 31

The planning phase

Question 32

What is logstack?

Answer 32

A log aggregator that collects logs from various sources

Question 33

Which tool is a combination of four technologies?

Answer 33

ELK: Elasticsearch, Kibana, Beats

Question 34

What is Elasticsearch?

Answer 34

A search engine

Question 35

What is the name of the visualisation layer for elasticsearch which makes it possible to create dashboards?

Answer 35

Kibana

Question 36

What is beats?

Answer 36

Agents that can collect data from hosts and forward to elasticsearch

Question 37

What is an alternative tool to ELK?

Answer 37

SPLUNK

Question 38

What are examples of automating the execution phase of MAPE-K?

Answer 38

-IDPS block rules -Firewall filters -Malware quarantine

Question 39

What are playbooks used for?

Answer 39

To help manage incidents efficiently

Question 40

What is developed to provide a guide for how to manage a certain type of incident?

Answer 40

A playbook

Question 41

What are some types of information that should be included in a playbook?

Answer 41

-Roles to be involved -Tools to use -Steps to take