1.7 Security assessments techniques Flashcards
What is threat hunting?
The practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses
What is intelligence fusion/ cyber fusion?
Cyber fusion centers combine threat intelligence, security automation, incident response, threat detection, and other security functions into a single unit in a collaborative manner. This approach bridges the gap between teams through intelligence synthesis and helps enable rapid threat prediction capabilities
What is vulnerability scanning?
The process of identifying security weaknesses and flaws in systems and software running on them. This is an integral component of a vulnerability management program, which has one overarching goal – to protect the organization from breaches and the exposure of sensitive data
What kind of vulnerability scan exists?
- Non-intrusive scans: gather information without exploiting the vulnerability
- Intrusive scans: try to exploit the vulnerability to see if it works
- Non-credentialed scans: the scanner can’t login to the remote device
- Credential scan: normal user emulates an insider attack
What tool can be use to scan vulnerability?
Nessus
How the vunerabilities are identified?
The scanner looks for the signatures:
- application scans
- web application scans
- network scans (misconfigured firewall, open ports, ulnerable devices, etc)
Why should we review the vulnerability scan log?
Beacause it can highlited lack of security controls (firewall, antivirus, etc), security misconfiguration (open shares, guest shares), real vulnerabilities
What is the purpose of configuration review?
- Validate the security of device configurations
- Check the account configuration & local device sttings
- Check the access to the server and permission
- Check the configuration of security devices (firewall rules, authentication options)
What is a Security Information and Event Management (SIEM)?
SIEM technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
What syslog do and how it is related to a SIEM?
Syslog is a protocol that computer systems use to send event data logs to a central location for storage. It is a standard for message logging comming from diverse systems (consolidated log). Logs can then be accessed by analysis and reporting software such as a SIEM to perform audits, monitoring, troubleshooting, and other essential IT operational tasks.
What type of information are valuable to store in a SIEM?
- Data inputs: server authentication attempts, VPN connections, firewall session logs, denied outbound traffic flows, network utilizations
- Packet captures: network packets
Explain the connexion between SIEM and SOC
SOC staffs is in charge to monitore and analyze the constant flow information coming from the SIEM, track important statistics
What is Security Orchestration, Automation and Response (SOAR)?
Refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
