Chapter 8 - Monitoring and Analysis

Question 1

What are the two different types of Intrusion Detection Systems?

Answer 1

Network Based IDS
- Monitors network traffic

Host Based IDS
- Monitors a single host or server for malicious traffic

Question 2

What is the difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

Answer 2

IDS are NOT placed in line with network traffic, they simply monitor traffic using IDS agents.

IPS are place IN LINE with network traffic as they have functionality to detect and block traffic should they deem traffic to be malicious.

IPS can make network modifications to block/quarantine malicious traffic/host.

Question 3

What are signature based detection methods?

Answer 3

Signature Based Detection methods are based on known signatures for malicious activity/behavior.

AV signatures are databases used to compare and identify indicators of maliciousness.

Question 4

What are Anomaly based detection methods?

Answer 4

Anomaly based detection or Behavior based detection utilizes Baseline Behavior patterns to detect signs of maliciousness.

Any behavior that significantly differs from baseline levels set by administrators are then raised with SOC teams for analysis.

Baseline Behavior is constantly updated to ensure proper detection are in place.

Question 5

What are some of the techniques organizations use to detect unauthorized file changes?

Answer 5

1. File Identity Checkers
   - Hashes are compared to previous hashes periodically to determine if a file has been altered.
2. Unauthorized Connections
   - IDS monitor network traffic to determine if any new connections are not deemed to be authorized.

Question 6

What are honeypots?

Answer 6

Honeypots are essentially network traps to entice threat actors to try and gain access to them.

They are well monitored and are sandboxed to try and observe and new TTPs.

A honeynet is a network between two honeypot servers to try and mimic network traffic.

Question 7

What are vulnerability assessments?

Answer 7

Vulnerability Assessments tests an organization’s security countermeasures and controls against known vulnerabilities.

The aim if VA are to validate if controls are functions as intended along with trying to identify any gaps in countermeasures.

Question 8

What are the 3 different test Pentest/VA test types?

Answer 8

White Box
- Conducted by internal testers with knowledge of systems and controls they are testing.

Black Box
- Conducted by external testers with no knowledge of controls and countermeasures put in place by the organization.

Grey Box
- Somewhere in the middle of both White and Black Box testing
- For example purple testing or security consultants testing a new application they have not seen before.

Question 9

What are Infrastructure Security Configurations Reviews?

Answer 9

Infrastructure Security Configuration Reviews aims to review whether appropriate system hardening are in place along with ensuring that assets are configured based on agreed upon security policies.

Typical things reviewed are:

• Network Vulnerabilities
• System Hardening
• Security Border Controls

Question 10

What are the steps involved with Vulnerability Assessments?

Answer 10

1. Organization Permission
2. Discovery and Reconnaissance
3. Result Analysis
4. Result Documentation
5. Recommend methods to reduce vulnerabilities
6. Present Recommendations
7. Remediate Vulnerabilities
8. Validate Remediation
9. Audit Remediation periodically

Question 11

How does penetration tests differ to vulnerability assessments?

Answer 11

Pen Tests goes further than VA as they actively try to exploit the identified vulnerability.