Ch13-Describing Security Data Collection

Question 1

A key step in implementing a successful SOC

Answer 1

to follow a threat-centric approach in network security monitoring.

Question 2

What is a threat-centric approach?

Answer 2

A threat-centric approach is all about the threat (not just compliance), and the threat’s life cycle, which includes before, during, and after attack phases.

Question 3

What is one result of placing an IPS on the untrusted (outside) segment of a firewall?

Answer 3

The IPS can detect new forms of attacks.

Question 4

Placement of an IPS

Answer 4

Optimal placement of an IPS depends on the needs and topology of the network to be protected.

Question 5

Data-Type documents all the individual network sessions based on the session’s 5-tuple

Answer 5

Session Data

Question 6

session’s 5-tuple

Answer 6

transport protocol, source IP address, source port, destination IP address, and destination port

Question 7

commonly implemented example of session data

Answer 7

NetFlow

Question 8

Analogous to Wiretap

Answer 8

Full Packet Capture

Question 9

The actual content of a conversation may be extracted from full packet captures.

Answer 9

Full Packet Capture

Question 10

Downside of Full Packet Capture

Answer 10

It has tremendous storage requirements, tedious to analyze

Question 11

Commonly used file format of Full Packet Capture

Answer 11

PCAP(packet capture)

Question 12

highlights operations that occur as a result of network sessions and system activities

Answer 12

Transaction Data

Question 13

Objects that are mined from network traffic

Answer 13

Extracted Content

Question 14

other security monitoring data types that aids in describing network activities at a higher level

Answer 14

Statistical Data

Question 15

These data formulate baselines. Baselines document the aggregate normal patterns and their trend

Answer 15

Statistical Data

Question 16

Comparing actual traffic patterns to the baseline patterns can reveal_______

Answer 16

anomalous behavior.

Question 17

most crystallized of the data types

Answer 17

Alert Data

Question 18

Potential Issues with Alert data

Answer 18

False positive and false negatives

Question 19

Advantage of alert data

Answer 19

that the tool can process tremendous amounts of network traffic in real time. It is much faster than a human analyst could ever be

Question 20

real-time access to the logs of their devices

Answer 20

Syslog

Question 21

Code 0

Answer 21

Emergency

Question 22

Code 1

Answer 22

Alert

Question 23

Code 2

Answer 23

Critical

Question 24

Code 3

Answer 24

Error

Question 25

Code 4

Answer 25

Warning

Question 26

Code 5

Answer 26

Notice

Question 27

Code 6

Answer 27

Informational

Question 28

Code 7

Answer 28

Debug

Question 29

data point that is extracted from security data that can be used as a high fidelity predictor of system compromise

Answer 29

Indicator of Compromise (IOC)

Question 30

extensible XML schema that enables security professionals to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.

Answer 30

OpenIOC

Question 31

NTP Port

Answer 31

UDP port 123

Question 32

protocol that is designed to synchronize the clocks of computers and network devices over a network

Answer 32

NTP

Question 33

Which of the following network security data types requires the largest amount of storage?

Answer 33

full packet capture

Question 34

Which two statements best describe why it is important to deploy an NTP solution in a network infrastructure?

Answer 34

Accurate time stamping across the network is critical to forensic investigation after a compromise occurs.
NTP can provide an authenticated time source from which security tools can operate.

Question 35

IPS is correlated to what other log files?

Answer 35

firewall logs, DNS logs, web security logs, email logs, AAA server logs, applications logs, NetFlow records, and PCAPs traffic analysis.

Question 36

open source intrusion prevention system that is offered by the Talos Intelligence Group

Answer 36

SNORT

Question 37

A security control acted when malicious activity did not take place.

Answer 37

False positive

Question 38

A security control did not act when malicious activity took place.

Answer 38

False negative

Question 39

A security control acted when malicious activity took place.

Answer 39

True positive

Question 40

A security control did not act, because there was no malicious activity.

Answer 40

True negative

Question 41

The security control, such as an IPS or IDS sensor, acted as a consequence of malicious activity, which represents normal and optimal operation.

Answer 41

True positives

Question 42

The security control that is acted as a consequence of non-malicious activity, which represents an error, generally caused by too tight proactive controls (which do not permit all legitimate traffic) or too relaxed reactive controls (with too broad descriptions of the attack).

Answer 42

False positives

Question 43

The security control has not acted, because there was no malicious activity, which represents normal and optimal operation.

Answer 43

True negatives

Question 44

The security control has not acted, even though there was malicious activity, which represents an error, generally caused by too relaxed proactive controls (which permit more than just minimal legitimate traffic) or too specific reactive controls (with too-specific descriptions of the attack).

Answer 44

False negatives

Question 45

are generally tuned to be less sensitive in order not to block legitimate traffic, (for example, IPS sensors)

Answer 45

Preventive controls

Question 46

are tuned to be more sensitive at a cost of false positives (for example, IDS sensors)

Answer 46

detective controls

Question 47

To effectively perform this step of the process, analysts must have the following:

Answer 47

An accurate assessment of the time constraints that they must work within

Familiarity with the network being protected to prioritize critical alert

Question 48

You are investigating IPS alerts and finding that many of them have been generated by normal network activity. What is most likely to be the cause of this situation?

Answer 48

Proactive controls are too restrictive.

Question 49

Which two security control decisions indicate optimal security control behavior?

Answer 49

true positive

true negative

Question 50

What are the two primary purposes of the intrusion analysis process?

Answer 50

blocking attacks,identifying attacks

Question 51

Which two statements are true about firewall logs?

Answer 51

Firewall logs can help a security analyst understand communication relationships and timing of the attacks.
A small subset of firewall logs usually provides the most benefit to an analyst.

Question 52

DNS logging can capture URL resolution requests and responses. How can these two assist with identifying or reconstructing a compromise or incident?

Answer 52

The DNS queries will identify the external server that was being accessed for the incident transactions.,
The DNS name may exhibit exfiltrated data as the subdomain.

Question 53

Status Code: Successful Transactions

Answer 53

Begins with 2
200

OK

201

Created

202

Accepted

Question 54

Status Code: Redirected Transactions

Answer 54

Begins with 3

301

Moved permanently

302

Moved temporarily

304

Not modified

Question 55

Status Code Client-Side Errors

Answer 55

Begins with 4
400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

Question 56

Status Code Server-Side Error

Answer 56

Begins with 5
500

Internal server error

501

Not implemented

502

Bad gateway

503

Service unavailable

Question 57

Common HTTP Request Methods

Answer 57

GET

Retrieval and simple searches

POST

Submit data-query

PUT

Upload data-files

Question 58

Uncommon, Potentially Malicious Requests

Answer 58

HEAD

Metadata retrieval

DELETE

Remove resource

TRACE

Application layer trace of route

OPTIONS

Request available methods

CONNECT

Tunnel SSL connection

PROPFIND

Retrieve properties of an objec

Question 59

What is the purpose of a DLP policy?

Answer 59

to prevent end users from sending sensitive or critical information outside the corporate network

Question 60

Which two types of logs can you see on most typical email proxies?

Answer 60

logs regarding incoming spam emails

logs regarding incoming emails containing viruses

Question 61

Which two of the following statements best describe the ways in which AAA server logs can be useful in protecting the network and users?

Answer 61

Most AAA servers log authentication failures, an excessive number of which may point the security analyst to a brute force attack.

Authentication logs track the success and failure of legitimate users with a time stamp record.

Question 62

What is NGFW?

Answer 62

Next Generation Fire Wall

Question 63

What are the additional features of a firewall?

Answer 63

raditional firewall services plus VPN, IPS, AMP, DNS inspection, application visibility and control, reputation-based filtering, URL filtering, SSL decryption,

Question 64

Which three are true about the Cisco FirePower NGFW logging?

Answer 64

can log packet-level information about IPS events
can identify indications of compromise
can log the NGFW connections events

Question 65

On a Linux system, where are application logs usually stored?

Answer 65

/var/log folder

Question 66

Which two statements are true about application logs?

Answer 66

The application log file contains events that are logged by the network applications.
Application logs can be used along with the network usage logs to verify that network resources are being used appropriately.

Question 67

Packet Capture Analyst Goals

Answer 67

Identify Affected Hosts
After Data is collected
Reconstruct Attack
Analyze Traffic Path

Question 68

It provide the capability to automatically capture the traffic associated with the IPS alerts.

Answer 68

Many IPSs, such as Snort,

Question 69

When attempting to reconstruct an incident from a packet capture, which three things should an analyst pay special attention to?

Answer 69

IP addresses of hosts that may have been affected

the path that was used in the attack

the timeline of the attack

Question 70

Which statement is true about NetFlow

Answer 70

NetFlow provides a complete audit trail of all network communications.

Question 71

What are three pieces of information that NetFlow captures?

Answer 71

the time of IP conversations

the amount of data that are transferred during IP conversations

identities of systems that are involved in IP conversations

Question 72

Which three of the following statements are true about network behavior anomaly detection?

Answer 72

It can enable an analyst to quickly track down malicious activities on the network by identifying abnormal network traffic conditions.

It works by comparing a known state of normal traffic to current traffic flows.

Its validity and usefulness can be impaired if the size of the sliding window is not set appropriately

Question 73

Which three statements are true about company data and data loss

Answer 73

Disgruntled employees are often sources of data leakage.

Company data is at a serious security risk today because data is more available and accessible than ever before.

One of the quickest ways to determine whether internal users may be involved in data loss is by viewing any alarms that the users have triggered.

Question 74

What SIEM means?

Answer 74

Security Information and Event Management Systems

Question 75

Which three of the following best describe how a SIEM should be used

Answer 75

anomaly detection
data correlation
automated reporting