Chapter 7 Security Assessments Flashcards
What is Threat hunting?
The practice of proactively searching for cyber threats that are inside a network, yet remain undetected.
What kind of tools do you use for Cyber threat hunting?
Tools, Techniques, and procedures (TTPs)
What is meant by Living off the land?
When an attacker uses system resources to continue their presence
What are examples of Indicators of attack (IOA)?
Creating an account, connecting out to a command-and-control server, and moving data off of a network in an encrypted stream
What is Intelligence fusion?
A process involving collecting and analyzing threat feeds from both internal and external sources on a large scale
What are Threat feeds?
Sources of information concerning adversaries
What are Advisories and bulletins?
Published sets of information from partners, such as security vendors, industry groups, the govt, etc
What is meant by Maneuver?
The ability to move within a network
How can Threat hunting counter an attacker maneuvering through a system?
- Watching traffic at choke points
- Analyze the company’s own network infrastructure from an attackers point of view to better understand how an attack can happen
What is Vulnerability Scanning?
The process of examining services on computer systems for known vulnerabilities in software
What are false positives?
When an Indicator of compromise (IOC) is potentially detected but happened to not be a real threat
What is a false negative?
When you test for something, do not get an indication, but the results should have been true
What is an example of a false positive?
When you detect a failed login followed by a successful login being labeled as malicious, when the activity was caused by a user making a mistake after recently changing their password
What is an example of a false negative?
If you scan ports to find any open ones and you miss a port that is open because the scanner could not detect it being open, and you don’t run a test because of it
What are Log reviews?
Logs that provide info as to security incidents, policy violations and other abnormal conditions that require further analysis
What is a non-intrusive scan?
A simple scan of open ports and services
What is an intrusive scan?
A scan that attempts to leverage potential vulnerabilities through an exploit to demonstrate the vulnerabilities
What are Common Vulnerabilities and Exposures (CVE)?
A list of known vulnerabilities in software systems.
What is the Common Vulnerabilities Scoring System (CVSS)
A scoring system to determine how risky a vulnerability can be to a system. The CVSS score ranges from 0 to 10
What are types of Configuration reviews?
- Common Configuration Enumeration
- Common Platform Enumeration
- National Vulnerability Database
What is a System Logging Protocol (Syslog)?
A standard protocol used in Linux systems to send system log or event messages to a specific server called a syslog server
What ports does syslog server listens on?
UDP 514 or TCP port 6514
Where does Ubuntu store global activity and startup messages in?
/var/log/syslog
What is Security Information and Event Management (SIEM)?
designed to collect, aggregate, and apply pattern matching to the volumes of data fro syslogs
What is Security Monitoring?
The process of collecting and analyzing info to detect suspicious behavior or unauthorized changes on your network and connected systems.
What is a Security orchestration, automation, and response (SOAR) system?
Combine data and alarms from integrated platforms throughout the enterprise and place them in a single location where automated responses can then address threats and vulnerabilities
What is Log aggregation?
The process of combining logs together
What is Log collectors?
Are pieces of software that function to gather data from multiple independent sources and feed it into a unified source such as a SIEM.
