6. Sound the alarm: detection and response Flashcards
Computer security incident response teams (CSIRT)
specialized group of security professionals that are trained in incident management and response
Documentation
any form of recorded content that is used for a specific purpose
Endpoint detection and response EDR
application that monitors an endpoint for malicious activity
Event
observable occurrence on a network, system, or device
False negative
state where the presence of a threat is not detected
False positive
alert that incorrectly detects the presence of a threat
Incident
occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of info or an info system; or constitutes a violation or imminent threat of violation of law, security policies, a security procedures, or acceptable uses policies
Incident handler’s journal
form of documentation used in incident response
Incident response plan
document that outlines the procedures to take in each step of incident response
Incident detection system IDS
application that monitors system activity and alerts on possible intrusions
Intrusion prevention system IPS
application that monitors system activity for intrusive activity and takes action to stop the activity
National Institute of Standards and Technology NIST Incident Response Lifecycle
framework for incident response consisting of four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity
Playbook
manual that provides details about any operational action
Security information and event management SIEM
application that collects and analyzes log data to monitor critical activities in an org
Security operations center SOC
org unit dedicated to monitoring networks, systems, and devices for security threats or attacks
Security orchestration, automation, and response SOAR
collection of applications, tools, and workflows that uses automation to respond to security events
True negative
state where there is no detection of malicious activity
True positive
alert that correctly detects the presence of an attack
Command and control C2
techniques used by malicious actors to maintain comms with compromised systems
Command-line interface CLI
text-based user interface that uses commands to interact with the computer
Data exfiltration
unauthorized transmission of data from a system
Data packet
basic unit of info that travels from one device tot another within a network
Indicators of compromise IoC
Observable evidence that suggests signs of a potential security incident
Internet Protocol IP
set of standards used for routing and addressing data packets as they travel between devices on a network
Intrusion detection systems IDS
application that monitors system activity and alerts on possible intrusions
Media Access Control MAC address
unique alphanumeric identifier that is assigned to each physical device on a network
National Institute of Standards and Technology NIST Incident Response Lifecycle
framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, eradication and Recovery; and Post-incident activity
Network data
data that’s transmitted between devices on a network
Network protocol analyzer packet sniffer
tool designed to capture and analyze data traffic within a network
Network traffic
amount of data that moves across a network
Network Interface Card NIC
Hardware that connects computers to a network
Packet capture p-cap
file containing data packets intercepted from an interface or network
Packet sniffing
practice of capturing and inspecting data packets across a network
Playbook
manual that provides details about any operational action
Root user (or superuser)
user with elevated privileges to modify the system
Sudo
command that temprarily grants elevated permissions to specific userst
tcpdump
command-line network protocol analyzer
wireshark
open-source network protocol analyzer
Analysis
investigation and validation of alerts
Broken chain of custody
Inconsistencies in the collection and logging of evidence in the chain of custody
Business continuity plan BCP
document that outlines the procedures to sustain business operations during and after a significant disruption
Chain of custody
process of documenting evidence possession and control during an incident lifecycle
Containment
act of limiting and preventing additional damage caused by an incident
Crowdsourcing
practice of gathering info using public input and collaboration
Detection
prompt discovery of security events
Documentation
any form of recorded content that is sued for a specific purpose
Eradication
complete removal of the incident elements from all affected systems
Final report
documentation that provides a comprehensive review of an incident
Honeypot
system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders
Incident response plan
document that outlines the procedures to take in each step of incident response
Indicators of attack IoA
series of observed events that indicate a real-time incident
Indicators of compromise IoC
Observable evidence that suggests signs of a potential security incident
intrusion detection system IDS
application that monitors system activity and alerts on possible intrusions
Lessons learned meeting
meeting that includes all involved parties after a major incident
Open-source intelligence OSINT
collection and analysis of info from publicly available sources to generate usable intelligence
Playbook
manual that provides details about any operational action
Post-incident activity
process of reviewing an incident to identify areas for improvement during incident handling
Recovery
process of returning affected systems back to normal operations
Resilience
ability to prepare for, respond to, and recover from disruptions
Standards
references that inform how to set policies
Threat hunting
proactive search for threats on a network
Threat intelligence
evidence-based threat info that provides context about existing or emerging threats
Triage
prioritizing of incidents according to their level of importance or urgency
VirusTotal
service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content
Anomaly-based analysis
detection method that identifies abnormal behavior
Array
data type that stores data in a comma-separated ordered list
Common Event Format CEF
log format that uses key-value pairs to structure data and identify fields and their corresponding values
Configuration file
file used to configure the settings of an application
Endpoint
any device connected on a network
Endpoint detection and response EDR
application that monitors an endpoint for malicious activity
False positive
alert that incorrectly detects the presence of a threat
Host-based intrusion detection system HIDS
application that monitors the activity of the host on which it’s installed
Intrusion detection systems IDS
application that monitors system activity and alerts on possible intrusions
Key-value pair
set of data that represents two linked items: key, and its corresponding value
Log
record of events that occur within an organization’s systems
Log analysis
process of examining logs to identify events of interest
Log management
process of collecting, storing, analyzing, and disposing of log data
Logging
recording of events occurring on computer systems and networks
Network-based intrusion detection system NIDS
application that collects and monitors network traffic and network data
Object
data type that stores data in a comma-separated list of key-value pairs
Search Processing Language SPL
Splunk’s query language
Security information and event management SIEM
application that collects and analyzes log data to monitor critical activities in an organization
Signature
pattern that is associated with malicious activity
Signature analysis
detection method used to find events interest
Suricata
open-source intrusion detection system, intrusion prevention system, and network analysis tool
Telemetry
collect and transmission of data for analysis
Wildcard
special character that can be substituted with any other character
YARA-L
computer language used to create rules for searching through ingested log data
Zero-day
exploit that was previously unknown
