1.7 - Summarize the techniques used in security assessments. Flashcards
Summarize the techniques used in security assessments.
Threat hunting
-proactive approach to finding perp b4 alerts r triggered
-find perp b4 they find u
-not reactive or detective
Intelligence fusion
-too much data to properly detect, analyze, and react
-separate teams (sec.ops, sec. intel, threat response
-fuse sec. data with big data analytics
->analyze large + diverse data sets
->pick out interesting data pts + correlations
Breakdown
-gathering + merging various sources of threat intel data
->open source intel, internal logs, internal feeds
-combine diverse data pts to identify emerging threats + patterns that might go unnoticed when examining individual sources
Fusing data
-collect data = logs, sensors, net. info, internet events, intrusion detection
-add external sources = threat feeds, govt alerts, advisories/bulletins, social media
-correlate wth big data analytics = focuses on predictive analytics + usr behavior analytics, mathematical analysis of unstructured data
Threat feeds
-regularly updated streams of info about known threats + vulns. + emerging threats + IOCs
-provides sec. teams wth realtime/near realtime info about mal. IPs, malware signatures, other IOCs
-integrating TFs into sec. sys. orgs can proactively block + detect threats based on latest intel.
-provides orgs wth timely + actionable info to defend
-enables proactive threat detection + response
->helps mitigate risks + protect assets effectively
Advisories and bulletins
-
Maneuver
Vulnerability scans
False positives
False positive (106)
-scanner reports vuln. that doesn’t exist
Positive report
-when vuln scanner reports vuln
True positive
-report is accurate
False positive report
-inaccurate report
False negatives
Negative report
-scanner reports that a vuln isn’t present
True negative report
-negative report is accurate
False negative report
-negative report is inaccurate
Log reviews
-might contain info about possible attempts to exploit detected vuln.
Credentialed vs. non-credentialed
- Credentialed scan
– You’re a normal user,
emulates an insider attack
Non-credentialed scans
– The scanner can’t login to the remote device
Intrusive vs. non-intrusive
Application scanning
-commonly used as part of software dev.
-tools analyze custom developed software to identify common sec. vulns.
-occurs using 3 techniques;
-> static testing = analyzes code wthout executing it
->dynamic testing = executes code as part of test.
->interactive testing = combine static/dynamic. analyzes source code while testers interact with app
Web application scanners
-tools used to examine sec. of web apps
-test 4 web specific vulns.
->SQL injection, XSS (cross site scripting), CSRF (cross site request forgery) vulns.
Network scanners
-prob wide range of net. connected devices 4 known vulns.
-try to determine type of device + its config and then launch targeted tests designed to detect presence of known vulns.
-EX: tenables Nessus, Qualys, Rapid7, OpenVAS
Prevention
-every org. should have at least one scanner
-many orgs choose to deploy two diff. vuln scanning products in same environ as a Defense in depth ctrl
Common Vulnerabilities and
Exposures (CVE)/Common
Vulnerability Scoring System (CVSS)
CVSS
-industry standard 4 assessing severity of sec. vuln.
-provides technique 4 scoring each vuln.
-use CVSS ratings to prioritize response actions
-rate vuln on 8 measures
-each measure given:
->descriptive rating + numeric score
-1st four = evaluate exploitability of vuln.
->metrics = attack vector, attack complexity, privileges required, user interaction
-last three = evaluate impact of vuln.
->metrics = confidentiality, integrity, availability
-8th = discusses scope of vuln.
->metric = scope
Configuration review
Chapple
Weiss
Gibson
Syslog/Security information and event management (SIEM)
-sys that correlate log entries from multiple sources + provide actionable intel
Review reports
Chapple
Weiss
Gibson
Packet capture
Chapple
Weiss
Gibson
Data inputs
Chapple
Weiss
Gibson
User behavior analysis
Chapple
Weiss
Gibson
Sentiment analysis
Chapple
Weiss
Gibson
Security monitoring
Chapple
Weiss
Gibson
Log aggregation
Chapple
Weiss
Gibson
Log collectors
Chapple
Weiss
Gibson
SOAR
Security orchestration, automation, and response
-automate routine/tedious/time intensive activities
->connect many diff tools together (firewalls, acct mgmt, email filters, etc)
-mitigation/recovery tool + incident response
-use playbooks + runbooks (4.4)
-automation
->handle sec tasks automatically
->allow automation of remediation + restoration workflows
-response
->make changes immediately
-Pros
->improve efficiency of threat mitigation + detection
->allow u to quickly assess;
~attck surface of org
~state of systems
~where issues may exist
->frees up admins to focus on other admin tasks
-reduce ammt of time needed to investigate
-can be forwarded to other tools to investigate further
-verify if threat is real or not
Chapple 474
Gibson 408-409
Weiss 108-109, 546-548