CH23 Monitoring and Auditing

Question 1

What are 3 Automated ways to monitor activities?

Answer 1

signature-based, anomaly-based, or behavior-based

1. Signature-based monitoring – network traffic is analyzed for predetermined attack patterns
2. Anomaly-based monitoring – a baseline is established and any network traffic that is outside of the baseline is evaluated. (looking for something that is outside of ordinary)
3. Behavior-based monitoring – activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Question 2

What is Signature-based monitoring?

Answer 2

network traffic is analyzed for predetermined attack patterns

Question 3

What is Anomaly-based monitoring?

Answer 3

a baseline is established and any network traffic that is outside of the baseline is evaluated. (looking for something that is outside of ordinary)

Question 4

What is Behavior-based monitoring?

Answer 4

activity is evaluated based on the previous behavior of applications, executables, and the operating system in comparison to the current activity of the system

Question 5

What is Security Posture?

Answer 5

Risk level to which a system or other technology element is exposed.

Question 6

What is Perfmon.exe ?

Answer 6

Windows program for performance monitor

Question 7

What is Protocol Analyzers?

Answer 7

it is used to capture and analyze network traffic.

Question 8

What is Promiscuous mode in Protocol Analyzers?

Answer 8

Network adapter is able to capture all of the packets on the network regardless of the destination MAC address of the frames carrying them

Question 9

What is Non-promiscuous mode in Protocol Analyzers?

Answer 9

Network adapter can only capture the packets addressed to itself directly

Question 10

What is Port mirroring?

Answer 10

one or more switch ports are configured to forward all of their packets to another port on the switch. This port is normally called a SPAN port

Port mirroring can slow down the network speed and cause packets to drop. To avoid, this, you can network tap.
If cannot configure a SPAN port, then you can use a network tap.

Question 11

What is Network Tap?

Answer 11

a physical device that allows you to intercept the traffic between two points on the network.

Question 12

What is SNMP ?

Answer 12

SNMP = Simple Network Management Protocol

A TCP/IP protocol that aids in monitoring network-attached devices and computers.

SNMP is incorporated into a network management and monitoring system

For the exam, know the function of SNMP.

Question 13

What are Managed Devices in regards to SNMP?

Answer 13

Computers and other network-attached devices monitored through the use of agents by a network management system

Question 14

What are Agent in regards to SNMP?

Answer 14

software that is loaded on a managed device to redirect information to the network management system

Question 15

What are Network Management System (NMS) in regards to SNMP?

Answer 15

Software run on one or more servers to control the monitoring of network-attached devices and computers

Question 16

What are 3 different versions on SNMP ?

Answer 16

SNMP v1, SNMP v2, SNMP v3

SNMP v1/v2 are insecure due to the use of community strings to access a device.

SNMP v3 – provides integrity, authentication, and encryption of the messages bring sent over the network.

Question 17

What is Manual audit?

Answer 17

look at security logs, ACLs, User rights/ permissions, group policies, vulnerability scans, written organizational policies, and interview personnels.

For the exam : logs are part of auditing

Question 18

What are three types of logs in Windows?

Answer 18

Security log - logs the events such as successful and unsuccessful user logons to the system

System log - logs the events such as a system shutdown and driver failures

Applications logs - logs the events for the operating system and third-party applications

On the exam : you might get a question like : “If you are trying to find when a user was successfully logged onto a system, which log would you look at?”. With the choices, Security, Application, or System log. Know that it’s a security log

Question 19

What is SYSLOG ?

Answer 19

a standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.

To consolidate all the logs into a single repository, you can use SYSLOG.

Question 20

What is SYSLOG server?

Answer 20

different servers around the world sending their log files back to a single logging server.

SYSLOG uses port 514 over UDP

Question 21

What is Write Once Read Many (WORM) ?

Answer 21

technology like DVD-R that allows data to be written only once but read unlimited times.

On the exam: anytime you’re trying to protect something from prying eyes, anytime you want to make sure that you keep people out from seeing things, encryption is a great choice.

Question 22

What is SIEM ?

Answer 22

SIEM = Security Information and Event Monitoring system

a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

SIEM solution can be implemented as software, hardware appliances, or outsourced managed services

Question 23

What are some of the commercial SIEM applications?

Answer 23

Splunk - Market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on

ELK/Elastic Stack
ArcSight
QRadar
Alien Vault and OSSIM (Open-Source Security Information Management)
Graylog

For the exam: if you hear any of these names, you should know they have the ability to act as a SIEM.

Question 24

What is Syslog?

Answer 24

a protocol enabling different appliances and software applications to transmit logs or event records to a central server

Syslog follows a client-server model and is the de facto standard for logging of events from distributed systems.

Port 514 UDP
Port 1468 TPC/IP (newer version called syslog-ng or rsyslog)

Question 25

What is Security Orchestration, Automation, and Response (SOAR) ?

Answer 25

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

SOAR is primarily used for incident response.

SOAR is essentially Next generation SIEM - a security information and event monitoring system with an integrated SOAR

SOAR gives you :
* Scan security / threat data
* Analyze it with Machine Leaning (ML)
* Automate data enrichment
* Provision new resources.

Question 26

What is Playbook in regards to monitoring?

Answer 26

checklist of actions to perform to detect and respond to a specific type of incident

Question 27

What is Runbook in regards to monitoring?

Answer 27

an automated version of a playbook that leaves clearly defined interaction points for human analysis