(3) Tools and Techniques that help figure out Malicious Activity Flashcards
What are the most important points of logs, log analysis, and correlation when it comes to determining what is going on with a security event?
Security professionals need to be able to to these things to determine what is going on during an incident:
-Knowing if the events are related to the initial event
-Understanding if a system, user, service, or other assets were involved or affected
-Classifying data for any data assets that are part of the event
-Information that could also be involved that can influence org decisions about the event
When a security professional needs to analyze data to work through it during an investigating, what can the professional use to sort through the data?
Security professionals can use a SIEM tool, Splunk, or ELK (Elasticsearch, Logstash, and Kibana) or manual techniques as well
Once a security professional assesses org impact vs local impact, what must be figured out next?
Once a security professional determines the org impact versus local impact, they must:
-decide what the immediate impact of the event is compared to the total impact. A single incident might not do much, but it could be part of a larger isuse.
What are trend analysis techniques?
Trend Analysis techniques are those that assist analysts in noticing changes from baseline to normal levels for events.
What do security analysts need to know about logs?
Security analysts need to know what logs are on their systems, how to get to them, how to find data about the logs themselves, and how to interpret them.
Plus, there needs to be an understanding on how the org uses their logs, if they are secured properly, and what problems exist in collecting logs and infrastructure analysis
What do security professionals need to remember about logs as they examine them
security professionals need to be aware of how their org centralizes logs and logging systems for on prem and cloud logs
What is a Security Information and Event Management (SIEM) tool?
A SIEM tool is one that leverages centralized logging and data collection with reporting and analysis abilities to figure out security issues.
Threat information, IOCs (Indicators of compromise) and other data are used to identify what is going on.
They also engage rule and filtering capabilities to do their analysis, which lets orgs deal with the large number of security info that is generated by systems
Other than the centralized logging and data gathering, what other capabilities to Security Information and Event Management (SIEM) tools leverage?
SIEM tools give incident management and response tools and abilities too, for tracking, oversight, and management
What is an Endpoint Detection and Response (EDR) tool?
EDR tools are put in place to endpoint devices, they use agents to look at and determine potential security problems, attacks, and compromises.
EDR tools look closely and threat patterns and indicators of compromise and behavioral trends to figure out if something bad happened or is happening.
The EDR system then leaps into action and responds, by getting rid of the threat, keeping it contained, or alerting security personnel/sysadmins
In addition to monitoring for attacks, compromises and behavioral analysis, what else do Endpoint Detection and Response (EDR) tools do?
EDRs also have tools that can assist in forensic analysis and incident response
What are Security Orchestration, Automation, and Response (SOAR) tools?
SOAR tools are used to integrate security tools and systems. They rely on Application Programming Interfaces) or other methods to pick up data from security devices, vulnerability scanners, antimalware tools, IDS and IPS, EDR and SIEM systems and anything else the org uses.
All of this data drives the org response to stop the threat or activity using automation and scripts. It also uses playbooks which are automated sets of actions when certain events happen
Other than the various systems that they use to ingest data and the automated responses that they employ, what else do Security Orchestration, Automation, and Response (SOAR) tools do to perform their work?
SOAR tools focus on responding with incident management, monitoring, and reporting abilities included in their repertoire
They build actionable intelligence from data sources
Describe what reputation services are
Reputation services are all about what it says, reputation. If a website (and their corresponding IP address) is compromised or has something really bad about it, it can get added to a listing saying that the website is known for something bad.
What is Whois?
Whois is a site where you can go to get information on a website, where it is located, IP address, a lot of information.
What is AbuseIPDB?
AbuseIPDB is a site that lets one search for IP addresses, networks, etc. to see if they have been reported for abuse
