(4) Indicators Of Compromise And Tools And Techniques Of Threat Hunting Flashcards
What are Indicators of Compromise (IOCs)? What are IOCs used for?
IOCs are data that normally identifies compromised systems and software. They are used to detect breaches, compromises, and malware as well as activities associated with specific attacks
What are three points that are involved with Indicators Of Compromise (IOCs)?
-Collection
-Analysis
-Application
In terms of Indicators Of Compromise (IOC), describe Collection
Collection involves how to acquire data that can indicate an issue. This involves data sources, tools, and logs
in term of Indicators Of Compromise (IOC), describe Analysis
Once data has been collected, it has to be analyzed to make sure that it indicates that an intrusion has happened. Analysis demands that you understand what the data means and the context of if it means a compromised has happened or been attempted
In terms of Indicators of Compromise (IOC), describe Application
Application of IOCs happens in two ways.
Analysis to understand if a compromise has happened, which would result in incident response systems activating.
This can happen as part of the analysis process too. Threat intelligence sources and groups document IOCs and make them readable for monitoring and analysis.
What are the common IOCs that one should familiarize with when it comes to IOC types
-Questionable login activity
-Modifications to files
-Unexpected use of privileged accounts
-Unusual network traffic
-Large data transfers
-Unexpected services, ports, software and others working on systems and devices
What is active defense?
Active defense is about deception that delays or confuses attackers. This could include tar pits that give attackers fake targets and data to slow down scans and attacks
What specific setups are involved with honeypots?
Honeypots are set up to have logging enabled to give threat analysts a chance to analyze attacker tools and behaviors and techniques.
