Ch13-Describing Security Data Collection Flashcards
A key step in implementing a successful SOC
to follow a threat-centric approach in network security monitoring.
What is a threat-centric approach?
A threat-centric approach is all about the threat (not just compliance), and the threat’s life cycle, which includes before, during, and after attack phases.
What is one result of placing an IPS on the untrusted (outside) segment of a firewall?
The IPS can detect new forms of attacks.
Placement of an IPS
Optimal placement of an IPS depends on the needs and topology of the network to be protected.
Data-Type documents all the individual network sessions based on the session’s 5-tuple
Session Data
session’s 5-tuple
transport protocol, source IP address, source port, destination IP address, and destination port
commonly implemented example of session data
NetFlow
Analogous to Wiretap
Full Packet Capture
The actual content of a conversation may be extracted from full packet captures.
Full Packet Capture
Downside of Full Packet Capture
It has tremendous storage requirements, tedious to analyze
Commonly used file format of Full Packet Capture
PCAP(packet capture)
highlights operations that occur as a result of network sessions and system activities
Transaction Data
Objects that are mined from network traffic
Extracted Content
other security monitoring data types that aids in describing network activities at a higher level
Statistical Data
These data formulate baselines. Baselines document the aggregate normal patterns and their trend
Statistical Data
Comparing actual traffic patterns to the baseline patterns can reveal_______
anomalous behavior.
most crystallized of the data types
Alert Data
Potential Issues with Alert data
False positive and false negatives
Advantage of alert data
that the tool can process tremendous amounts of network traffic in real time. It is much faster than a human analyst could ever be
real-time access to the logs of their devices
Syslog
Code 0
Emergency
Code 1
Alert
Code 2
Critical
Code 3
Error
Code 4
Warning
Code 5
Notice
Code 6
Informational
Code 7
Debug
data point that is extracted from security data that can be used as a high fidelity predictor of system compromise
Indicator of Compromise (IOC)
extensible XML schema that enables security professionals to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.
OpenIOC
NTP Port
UDP port 123
protocol that is designed to synchronize the clocks of computers and network devices over a network
NTP
Which of the following network security data types requires the largest amount of storage?
full packet capture
Which two statements best describe why it is important to deploy an NTP solution in a network infrastructure?
Accurate time stamping across the network is critical to forensic investigation after a compromise occurs.
NTP can provide an authenticated time source from which security tools can operate.
IPS is correlated to what other log files?
firewall logs, DNS logs, web security logs, email logs, AAA server logs, applications logs, NetFlow records, and PCAPs traffic analysis.
open source intrusion prevention system that is offered by the Talos Intelligence Group
SNORT
A security control acted when malicious activity did not take place.
False positive
A security control did not act when malicious activity took place.
False negative
A security control acted when malicious activity took place.
True positive
A security control did not act, because there was no malicious activity.
True negative
The security control, such as an IPS or IDS sensor, acted as a consequence of malicious activity, which represents normal and optimal operation.
True positives
The security control that is acted as a consequence of non-malicious activity, which represents an error, generally caused by too tight proactive controls (which do not permit all legitimate traffic) or too relaxed reactive controls (with too broad descriptions of the attack).
False positives
The security control has not acted, because there was no malicious activity, which represents normal and optimal operation.
True negatives
The security control has not acted, even though there was malicious activity, which represents an error, generally caused by too relaxed proactive controls (which permit more than just minimal legitimate traffic) or too specific reactive controls (with too-specific descriptions of the attack).
False negatives
are generally tuned to be less sensitive in order not to block legitimate traffic, (for example, IPS sensors)
Preventive controls
are tuned to be more sensitive at a cost of false positives (for example, IDS sensors)
detective controls
To effectively perform this step of the process, analysts must have the following:
An accurate assessment of the time constraints that they must work within
Familiarity with the network being protected to prioritize critical alert
You are investigating IPS alerts and finding that many of them have been generated by normal network activity. What is most likely to be the cause of this situation?
Proactive controls are too restrictive.
Which two security control decisions indicate optimal security control behavior?
true positive
true negative
What are the two primary purposes of the intrusion analysis process?
blocking attacks,identifying attacks
Which two statements are true about firewall logs?
Firewall logs can help a security analyst understand communication relationships and timing of the attacks.
A small subset of firewall logs usually provides the most benefit to an analyst.
DNS logging can capture URL resolution requests and responses. How can these two assist with identifying or reconstructing a compromise or incident?
The DNS queries will identify the external server that was being accessed for the incident transactions.,
The DNS name may exhibit exfiltrated data as the subdomain.
Status Code: Successful Transactions
Begins with 2
200
OK
201
Created
202
Accepted
Status Code: Redirected Transactions
Begins with 3
301
Moved permanently
302
Moved temporarily
304
Not modified
Status Code Client-Side Errors
Begins with 4
400
Bad request
401
Unauthorized
403
Forbidden
404
Not found
Status Code Server-Side Error
Begins with 5
500
Internal server error
501
Not implemented
502
Bad gateway
503
Service unavailable
Common HTTP Request Methods
GET
Retrieval and simple searches
POST
Submit data-query
PUT
Upload data-files
Uncommon, Potentially Malicious Requests
HEAD
Metadata retrieval
DELETE
Remove resource
TRACE
Application layer trace of route
OPTIONS
Request available methods
CONNECT
Tunnel SSL connection
PROPFIND
Retrieve properties of an objec
What is the purpose of a DLP policy?
to prevent end users from sending sensitive or critical information outside the corporate network
Which two types of logs can you see on most typical email proxies?
logs regarding incoming spam emails
logs regarding incoming emails containing viruses
Which two of the following statements best describe the ways in which AAA server logs can be useful in protecting the network and users?
Most AAA servers log authentication failures, an excessive number of which may point the security analyst to a brute force attack.
Authentication logs track the success and failure of legitimate users with a time stamp record.
What is NGFW?
Next Generation Fire Wall
What are the additional features of a firewall?
raditional firewall services plus VPN, IPS, AMP, DNS inspection, application visibility and control, reputation-based filtering, URL filtering, SSL decryption,
Which three are true about the Cisco FirePower NGFW logging?
can log packet-level information about IPS events
can identify indications of compromise
can log the NGFW connections events
On a Linux system, where are application logs usually stored?
/var/log folder
Which two statements are true about application logs?
The application log file contains events that are logged by the network applications.
Application logs can be used along with the network usage logs to verify that network resources are being used appropriately.
Packet Capture Analyst Goals
Identify Affected Hosts
After Data is collected
Reconstruct Attack
Analyze Traffic Path
It provide the capability to automatically capture the traffic associated with the IPS alerts.
Many IPSs, such as Snort,
When attempting to reconstruct an incident from a packet capture, which three things should an analyst pay special attention to?
IP addresses of hosts that may have been affected
the path that was used in the attack
the timeline of the attack
Which statement is true about NetFlow
NetFlow provides a complete audit trail of all network communications.
What are three pieces of information that NetFlow captures?
the time of IP conversations
the amount of data that are transferred during IP conversations
identities of systems that are involved in IP conversations
Which three of the following statements are true about network behavior anomaly detection?
It can enable an analyst to quickly track down malicious activities on the network by identifying abnormal network traffic conditions.
It works by comparing a known state of normal traffic to current traffic flows.
Its validity and usefulness can be impaired if the size of the sliding window is not set appropriately
Which three statements are true about company data and data loss
Disgruntled employees are often sources of data leakage.
Company data is at a serious security risk today because data is more available and accessible than ever before.
One of the quickest ways to determine whether internal users may be involved in data loss is by viewing any alarms that the users have triggered.
What SIEM means?
Security Information and Event Management Systems
Which three of the following best describe how a SIEM should be used
anomaly detection
data correlation
automated reporting
