Chapter 7 Security Assessments

Question 1

What is Threat hunting?

Answer 1

The practice of proactively searching for cyber threats that are inside a network, yet remain undetected.

Question 2

What kind of tools do you use for Cyber threat hunting?

Answer 2

Tools, Techniques, and procedures (TTPs)

Question 3

What is meant by Living off the land?

Answer 3

When an attacker uses system resources to continue their presence

Question 4

What are examples of Indicators of attack (IOA)?

Answer 4

Creating an account, connecting out to a command-and-control server, and moving data off of a network in an encrypted stream

Question 5

What is Intelligence fusion?

Answer 5

A process involving collecting and analyzing threat feeds from both internal and external sources on a large scale

Question 6

What are Threat feeds?

Answer 6

Sources of information concerning adversaries

Question 7

What are Advisories and bulletins?

Answer 7

Published sets of information from partners, such as security vendors, industry groups, the govt, etc

Question 8

What is meant by Maneuver?

Answer 8

The ability to move within a network

Question 9

How can Threat hunting counter an attacker maneuvering through a system?

Answer 9

1. Watching traffic at choke points
2. Analyze the company’s own network infrastructure from an attackers point of view to better understand how an attack can happen

Question 10

What is Vulnerability Scanning?

Answer 10

The process of examining services on computer systems for known vulnerabilities in software

Question 11

What are false positives?

Answer 11

When an Indicator of compromise (IOC) is potentially detected but happened to not be a real threat

Question 12

What is a false negative?

Answer 12

When you test for something, do not get an indication, but the results should have been true

Question 13

What is an example of a false positive?

Answer 13

When you detect a failed login followed by a successful login being labeled as malicious, when the activity was caused by a user making a mistake after recently changing their password

Question 14

What is an example of a false negative?

Answer 14

If you scan ports to find any open ones and you miss a port that is open because the scanner could not detect it being open, and you don’t run a test because of it

Question 15

What are Log reviews?

Answer 15

Logs that provide info as to security incidents, policy violations and other abnormal conditions that require further analysis

Question 16

What is a non-intrusive scan?

Answer 16

A simple scan of open ports and services

Question 17

What is an intrusive scan?

Answer 17

A scan that attempts to leverage potential vulnerabilities through an exploit to demonstrate the vulnerabilities

Question 18

What are Common Vulnerabilities and Exposures (CVE)?

Answer 18

A list of known vulnerabilities in software systems.

Question 19

What is the Common Vulnerabilities Scoring System (CVSS)

Answer 19

A scoring system to determine how risky a vulnerability can be to a system. The CVSS score ranges from 0 to 10

Question 20

What are types of Configuration reviews?

Answer 20

1. Common Configuration Enumeration
2. Common Platform Enumeration
3. National Vulnerability Database

Question 21

What is a System Logging Protocol (Syslog)?

Answer 21

A standard protocol used in Linux systems to send system log or event messages to a specific server called a syslog server

Question 22

What ports does syslog server listens on?

Answer 22

UDP 514 or TCP port 6514

Question 23

Where does Ubuntu store global activity and startup messages in?

Answer 23

/var/log/syslog

Question 24

What is Security Information and Event Management (SIEM)?

Answer 24

designed to collect, aggregate, and apply pattern matching to the volumes of data fro syslogs

Question 25

What is Security Monitoring?

Answer 25

The process of collecting and analyzing info to detect suspicious behavior or unauthorized changes on your network and connected systems.

Question 26

What is a Security orchestration, automation, and response (SOAR) system?

Answer 26

Combine data and alarms from integrated platforms throughout the enterprise and place them in a single location where automated responses can then address threats and vulnerabilities

Question 27

What is Log aggregation?

Answer 27

The process of combining logs together

Question 28

What is Log collectors?

Answer 28

Are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a SIEM.