Chapter 7 Security Assessments Flashcards

1
Q

What is Threat hunting?

A

The practice of proactively searching for cyber threats that are inside a network, yet remain undetected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What kind of tools do you use for Cyber threat hunting?

A

Tools, Techniques, and procedures (TTPs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is meant by Living off the land?

A

When an attacker uses system resources to continue their presence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are examples of Indicators of attack (IOA)?

A

Creating an account, connecting out to a command-and-control server, and moving data off of a network in an encrypted stream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Intelligence fusion?

A

A process involving collecting and analyzing threat feeds from both internal and external sources on a large scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are Threat feeds?

A

Sources of information concerning adversaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are Advisories and bulletins?

A

Published sets of information from partners, such as security vendors, industry groups, the govt, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is meant by Maneuver?

A

The ability to move within a network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can Threat hunting counter an attacker maneuvering through a system?

A
  1. Watching traffic at choke points
  2. Analyze the company’s own network infrastructure from an attackers point of view to better understand how an attack can happen
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Vulnerability Scanning?

A

The process of examining services on computer systems for known vulnerabilities in software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are false positives?

A

When an Indicator of compromise (IOC) is potentially detected but happened to not be a real threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a false negative?

A

When you test for something, do not get an indication, but the results should have been true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an example of a false positive?

A

When you detect a failed login followed by a successful login being labeled as malicious, when the activity was caused by a user making a mistake after recently changing their password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an example of a false negative?

A

If you scan ports to find any open ones and you miss a port that is open because the scanner could not detect it being open, and you don’t run a test because of it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are Log reviews?

A

Logs that provide info as to security incidents, policy violations and other abnormal conditions that require further analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a non-intrusive scan?

A

A simple scan of open ports and services

17
Q

What is an intrusive scan?

A

A scan that attempts to leverage potential vulnerabilities through an exploit to demonstrate the vulnerabilities

18
Q

What are Common Vulnerabilities and Exposures (CVE)?

A

A list of known vulnerabilities in software systems.

19
Q

What is the Common Vulnerabilities Scoring System (CVSS)

A

A scoring system to determine how risky a vulnerability can be to a system. The CVSS score ranges from 0 to 10

20
Q

What are types of Configuration reviews?

A
  1. Common Configuration Enumeration
  2. Common Platform Enumeration
  3. National Vulnerability Database
21
Q

What is a System Logging Protocol (Syslog)?

A

A standard protocol used in Linux systems to send system log or event messages to a specific server called a syslog server

22
Q

What ports does syslog server listens on?

A

UDP 514 or TCP port 6514

23
Q

Where does Ubuntu store global activity and startup messages in?

A

/var/log/syslog

24
Q

What is Security Information and Event Management (SIEM)?

A

designed to collect, aggregate, and apply pattern matching to the volumes of data fro syslogs

25
Q

What is Security Monitoring?

A

The process of collecting and analyzing info to detect suspicious behavior or unauthorized changes on your network and connected systems.

26
Q

What is a Security orchestration, automation, and response (SOAR) system?

A

Combine data and alarms from integrated platforms throughout the enterprise and place them in a single location where automated responses can then address threats and vulnerabilities

27
Q

What is Log aggregation?

A

The process of combining logs together

28
Q

What is Log collectors?

A

Are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a SIEM.