1.7 - Summarize the techniques used in security assessments. Flashcards
Summarize the techniques used in security assessments.
Threat hunting
-proactive approach to finding perp b4 alerts r triggered
-find perp b4 they find u
-not reactive or detective
Intelligence fusion
-too much data to properly detect, analyze, and react
-separate teams (sec.ops, sec. intel, threat response
-fuse sec. data with big data analytics
->analyze large + diverse data sets
->pick out interesting data pts + correlations
Breakdown
-gathering + merging various sources of threat intel data
->open source intel, internal logs, internal feeds
-combine diverse data pts to identify emerging threats + patterns that might go unnoticed when examining individual sources
Fusing data
-collect data = logs, sensors, net. info, internet events, intrusion detection
-add external sources = threat feeds, govt alerts, advisories/bulletins, social media
-correlate wth big data analytics = focuses on predictive analytics + usr behavior analytics, mathematical analysis of unstructured data
Threat feeds
-regularly updated streams of info about known threats + vulns. + emerging threats + IOCs
-provides sec. teams wth realtime/near realtime info about mal. IPs, malware signatures, other IOCs
-integrating TFs into sec. sys. orgs can proactively block + detect threats based on latest intel.
-provides orgs wth timely + actionable info to defend
-enables proactive threat detection + response
->helps mitigate risks + protect assets effectively
Advisories and bulletins
-
Maneuver
Vulnerability scans
False positives
False positive (106)
-scanner reports vuln. that doesn’t exist
Positive report
-when vuln scanner reports vuln
True positive
-report is accurate
False positive report
-inaccurate report
False negatives
Negative report
-scanner reports that a vuln isn’t present
True negative report
-negative report is accurate
False negative report
-negative report is inaccurate
Log reviews
-might contain info about possible attempts to exploit detected vuln.
Credentialed vs. non-credentialed
- Credentialed scan
– You’re a normal user,
emulates an insider attack
Non-credentialed scans
– The scanner can’t login to the remote device
Intrusive vs. non-intrusive
Application scanning
-commonly used as part of software dev.
-tools analyze custom developed software to identify common sec. vulns.
-occurs using 3 techniques;
-> static testing = analyzes code wthout executing it
->dynamic testing = executes code as part of test.
->interactive testing = combine static/dynamic. analyzes source code while testers interact with app
Web application scanners
-tools used to examine sec. of web apps
-test 4 web specific vulns.
->SQL injection, XSS (cross site scripting), CSRF (cross site request forgery) vulns.
Network scanners
-prob wide range of net. connected devices 4 known vulns.
-try to determine type of device + its config and then launch targeted tests designed to detect presence of known vulns.
-EX: tenables Nessus, Qualys, Rapid7, OpenVAS
Prevention
-every org. should have at least one scanner
-many orgs choose to deploy two diff. vuln scanning products in same environ as a Defense in depth ctrl
Common Vulnerabilities and
Exposures (CVE)/Common
Vulnerability Scoring System (CVSS)
CVSS
-industry standard 4 assessing severity of sec. vuln.
-provides technique 4 scoring each vuln.
-use CVSS ratings to prioritize response actions
-rate vuln on 8 measures
-each measure given:
->descriptive rating + numeric score
-1st four = evaluate exploitability of vuln.
->metrics = attack vector, attack complexity, privileges required, user interaction
-last three = evaluate impact of vuln.
->metrics = confidentiality, integrity, availability
-8th = discusses scope of vuln.
->metric = scope
