1.7 - Techniques Used in Security Assessments Flashcards

1
Q

Threat Hunting

A
  • Attackers are always looking for the next threat
  • Strategies of today won’t likely be the strategies of tomorrow
  • Attackers are constantly modifying strategy
  • One big problem, you can’t react until you’re getting attacked
  • One goal: speed up reaction time or prevent attack
  • Ex: Firewalls get stronger, so phishing gets better
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Intelligence Fusion

A
  • Overwhelming amount of security data
  • Too much data to properly detect, analyze, and react
  • Data sources are different (server data is different from firewall different from IPS, etc)
  • Also there are different personnel teams (security teams, security intelligence, threat response)
  • Add external sources (threat feeds, governemental alerts, social media bulletins)
  • All these internal / external sources goes into DB
  • Goal: Fuse the security data together and use big data analytics to analyze and pick out correlations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cybersecurity maneuvers

A
  • Start deploying security technology (ex: additional firewalls, intrusion prevention, deleting malicious software)
  • These maneuvers are often automated, when the big data analytics spots potential threats the computer can react instantly
  • Combined with Fused Intelligence
  • This is an on going process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Vulnerability Scans

A
  • Designed to look at systems and see if potential vulnerabilities exist (ex: in the OS, network device, or application)
  • Usually minimally invasive (unlike a penetration test)
  • Common to run this on all systems that are connected to the network (ex: servers, workstations, laptops)
  • Don’t dismiss insider threats, pretend you have insider access too
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Penetration Test

A
  • Invasive
  • Tries to gain access to your system
  • Unlike a vulnerability scan
  • another intrusive test is to take a known exploit and see if it can get into your system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Port Scan

A
  • Looks at what ports are responding on a particular IP address
  • A type of vulnerability scan
  • poke around, see what’s open
  • May be able to gather information about things that are less than secure
  • Ex: you might see port 23 is running a telnet service and you know that telnet service inherently sends info that is not secure (not encrypted), this is a potential vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Scan Types

A
  • Scanners are very powerful
  • use many different techniques to identify vulnerabilities
  • “non-invasive” but a little invasive. It’s gathering information, not trying to exploit a vulnerability. (as opposed to a penetration test)
  • Never run a scan on your network where you do not have explicit permission to do so
  • You must understand exactly what scan will do (there have been cases where a scan trips a bug that causes system to become unavailable)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Non-Credentials Scan

A
  • User doesn’t have login access
  • Run from their perspective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Credentialed Scan

A
  • Run scan as a user who has rights, how much vulnerability exists?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Scan Vulnerability Examples

A
  • Vulnerability scanner DB needs to be constantly updated
  • Can have application scans ( desktop, mobile apps)
  • Can have web application scans (software on a webserver)
  • Can have Network scans ( misconfigured firewalls, open ports, vulnerable devices)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Vulnerability Research

A
  • Will do a lot of reserach before and after scan
  • Resources: CVE - Common Vulnerabilities and Exposures
  • Resources: National Vulnerability Database - NVD
  • Microsoft Security Bulletins
  • Some vulnerabilities cannot be definitively tied identified by a CVE, need to do more research, but the scanner will alert you to the fact there’s an issue
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NVD

A
  • National Vulnerability Database
  • This is the consolidated CVE DB
  • summary of all CVEs you can also find at mitre’s CVE website
  • Synchronized with the CVE list from Mitre
  • It also includes a CVSS (Common Vulnerability Scoring System)
  • http://nvd/nist.gov
  • very common resource for vulnerability scans
  • Industry collaboration, if you’re building a project you’ll want to involve this DB
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CVE

A
  • Common Vulnerabilities and Exposures
  • https://cve.mitre.org/cve
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CVSS

A
  • Common Vulnerability Scoring System
  • a feature in the NVD (National Vulnerability Database)
  • tells you severity threat
  • Quantitative scoring of vulnerability 0 to 10
  • Scoring standards change over time
  • 2 Different scoring methods, one for CVSS2.0 and one for CVSS3.x (use different criteria, need the picks the one that works for you)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Things Vulnerability Scans can expose

A
  • Lack of security controls (ex: if no firewall, anti-virus, anti-spyware. Things that should be in place)
  • Misconfigurations (Ex: open shares, guest access)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

False positivies

A
  • A vulnerability is identified by a scan that doesn’t really exist
  • Different from a low-severity vulnerability (which is real but may not be a high priority)
  • To combat this: Update to the latest signatures (if you don’t know it you can’t see it)
17
Q

False negative

A
  • A vulnerability exists, but scanner didn’t pick it up
  • worse than a false positive
  • To combat this: Update to the latest signatures (if you don’t know it you can’t see it)
18
Q

What if you find a false positive/negative?

A
  • Work with the vulnerability detection manufacturer
  • They may need to update their signatures for your environment
19
Q

Configuration Review

A
  • Validate the security of device configurations of OS (ex: may want to validate security settings, like firewall, anti virus)
  • Could look at account configurations to make sure no one is sharing that shouldn’t be
  • Could look at servers ( access controls, permissions settings)
  • Security devices (firewall rules, authentication options)
  • If you don’t want to do a full blown scan
20
Q

SIEM

A
  • Security Information and Event Management device
  • Designed to collect information of security events and information
  • core of SIEM is the log information
  • Log collection of security alerts
  • Real-time information
  • SIEM is often used a central repository - Log aggregation and long-term storage (usually includes advanced reporting features)
  • Data correlation - link diverse data types
  • Good place to go for forensics after a data event has occurred
  • often includes reporting features
21
Q

Syslog

A
  • Standard for message logging into a SIEM (b/c SIEM aggregates very different log information, need a way to have a standard way to feed in the data)
  • Diverse systems, consolidated log
  • Usually a syslog compatible collector in the SysLog itself
  • Looks for messages to be sent from diverse sources
  • You’re going to need a lot of disk space to store all these log datas (terabytes on terabytes)
22
Q

SIEM Data (what do you store?)

A
  • Data inputs (Ex: server authorization attempts, VPN connections, Firewall session logs, Denied outbound traffic flows, network utilizations)
  • Raw packet captures (especially if an event occurs, can add more information to these captures) (ex: network packets, often associated with a critical alert, some organizations capture everything)
23
Q

SOC

A
  • Security Operations Center
  • Common in large organizations
  • Someone can monitor all the SIEMs and react to the SIEM dashboard
  • Constant monitoring needed, track important statistic
  • automated emails can be set up to inform people
24
Q

Security Reports

A
  • Most SIEMs ( Security Information and Event Management) include a reporting feature
  • More readable view of log data
25
Q

Big Data Analytics

A
  • Ability to look through large amounts of very diverse data and identify patterns that would normally remain invisible
26
Q

UEBA

A
  • User and Entity Behavior Analytics
  • Looks at how ppl are acting (look at how ppl are using the network)
  • Detect insider threats, identify targeted attacks
  • Catches what the SIEM and DLP systems might miss
27
Q

Sentiment Analysis

A
  • Examines how public views a particular organizations
  • Tends to attract hackers if it’s widely hated, could impact what type of security you need on your network
  • Public discourse correlates to real-world behavior
  • Social media can be a barometer
28
Q

SOAR

A
  • Security Orchestration, Automation and Response
  • Goal is to - Automate routine, tedious, and time-intensive activities
  • Orchestration - connecting many tools and devices together (ex: firewalls, account management, email filters) this can be done dynamically
  • Automation - handle security tasks automatically (ex: configuration firewalls. computer is much faster and can mitigate things faster.)
  • Response - make changes immediately, any time of day