Chapter 17

Question 1

Incident Management

Answer 1

1. Detection - IDS, anti-malware, audit logs, etc.
2. Response
3. Mitigation - contain incident
4. Reporting
5. Recovery
6. Remediation
7. Lessons learned

Question 2

DoS attacks

Answer 2

• SYN flood attack
• Smurf attack - reflective DoS; broadcast ICMP echo req with spoofed victim IP
• Fraggle - reflective DoS; broadcast UDP echo req with spoofed victim IP
• Ping flood

Legacy attacks:
- Ping of Death - oversized ping packet
- Teardrop - fragmented IP packet
- LAND - LAN denial attack - SYN with same src and dst IP’s

Question 3

IDS

Answer 3

1. Knowledge-based or signature based
   - low false positives
   - cannot detect unknown or new attacks
2. Behavior-based (or statistical or heuristics-based) - first creates baseline of normal activity
   - can be considered expert system or pseudo-AI system
   - high false positives

Question 4

Host-based IDS
- can examine events in more detail
- costlier and harder to manage
- consumes system resources
- intruder may discover and disable

Network-based IDS
- can monitor large network using remote sensors and send to SIEM

Question 5

NIPS (network intrusion prevention system)

Answer 5

Must be placed in-line with traffic

Question 6

Additional Preventive Measures

Answer 6

• Honeypot - attract attackers; includes pseudo-flaws
• Honeynet - network of honeypots
• Warning banners
• Anti-malware
• Whitelisting or blacklisting apps
• Firewalls - block directed broadcasts (unicast until reach dest network then becomes broadcast); block private IP’s at the border; block pings
• Sandboxing

Question 7

Protection of logs

Answer 7

Send one copy to SIEM
Set permissions to logs

Question 8

Monitoring - process of reviewing logs, looking for something specific

Tuning - adjusting security controls to better match needs of org or env

Question 9

SIEM (Security Info and Event Management) system

Answer 9

Central SIEM server
SIEM agents on hosts, network devices, etc.

Question 10

Clipping level

Answer 10

Non-statistical sampling normally used to audit events; only notify when number reaches clipping level
- not as accurate as statistical sampling but easier

Question 11

Other monitoring types

Answer 11

Traffic and trend analysis - looks at network flow

Question 12

SOAR (Security Orchestration, Automation and Response) system

Answer 12

Playbook - doc or checklist on how to verify incident

Runbook - implements the playbook into automated tool

Question 13

ML (machine learning) - starts with rules; part of AI

AI (artificial intelligence) - starts with nothing, and learns the rules based on feedback and applying ML

Answer 13

When applied to behavior-based detection system:
- ML: baseline provided; false positive is fed back; ML refines baseline
- AI: monitors traffic and develops baseline; also uses feedback from admin for false positives

Question 14

Cyber Kill Chain Framework

• Defense by thwarting each of these stages
• use in conjunction with MITRE ATT&CK, which lists attack TTP’s (tactics, techniques, procedures)

Answer 14

7 stages of attack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on objectives