CISSP ch 17 Flashcards
Incident
any event that has a negative effect on the confidentiality, integrity or availability of an organization’s assets
security incident
an incident that is the result of an attack or the result of malicious or intentional actions on the part of users
Incident management steps (7)
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons learned
CIRT or CSIRT
Computer incident response team
Computer security incident response team
the designated incident response team
Preventive control
attempts to thwart or stop unwanted or unauthorized activity from occurring
E.g., fences, locks, biometrics, separation of duties policies, job rotation policies, data classification, access control methods, encryption, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls and intrusion preventions systems
Detective control
attempts to discover or detect unwanted or unauthorized activity; operate after the fact
E.g., security guards, motion detectors, recording and reviewing events captured by security cameras or closed circuit television (CCTV), job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports, supervision and reviews of users and incident investigations
C2 server / C&C
command and control server (botnet)
DRDoS
distributed reflective denial-of-service = uses a reflected approach to an attack; doesn’t attack the victim directly but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources
E.g., DNS poisoning attacks, smurf attacks and fraggle attacks
SYN flood attack
a common DoS attack = disrupts the standard three-way handshake used by the Transmission Control Protocol (TCP) to initiate the communication sessions = attackers send multiple SYN packets but never complete the connection with an ACK
TCP reset attack
spoofing the source IP address in a RST packet (reset) to disconnect active sessions
Smurf attack
another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) each packets instead of with TCP SYN packets = a spoofed broadcast ping request using the IP address of the victim as the source IP address
fraggle attack
similar to smurf attacks, but instead of using ICMP, uses UDP packets over UDP ports 7 and 19 = will broadcast a UDP packet using the spoofed IP address of the victim, all systems on the network will then send traffic to the victim
Ping flood attack
floods a victim with ping requests (e.g., sent from a botnet)
MiTM attack
man-in-the-middle attack = on-path attack
IDS
Intrusion detection system = automates the inspection of logs and real-time system events to detect intrusion attempts and system failures
IDPS
Intrusion detection and prevention system
IPS
Intrusion prevention system = placed inline with traffic
Knowledge/signature based detection
pattern-matching detection = uses signatures similar to the signature definitions used by antimalware software
Low false positive rate
Only effective against known attack methods
Behavior based detection
statistical intrusion detection = anomaly detection = heuristics-based detection = doesn’t use signatures, instead compares activity against baseline of normal performance to detect abnormal behavior
NOCs
network operations centers
a centralized location where computer, telecommunications, or satellite networks systems are monitored and managed 24x7
HIDS
host-based IDS = monitors a single computer or host
NIDS
network-based IDS = monitors a network by observing network traffic patterns
SIEM
security information and event management
SPAN port
Switched Port Analyzer port = port used for port mirroring (mirroring all traffic on the switch)
RARP
Reverse Address Resolution Protocol = used by a NIDS to discover the source of an attack
NIPS
network-based IPS
Pseudo-flaws
false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers
IANA
Internet Assigned Numbers Authority = maintains a list of well-known ports matched to protocols
WAF
web application firewall
NGFW
next generation firewall
UTM
unified threat management
Security logs
Record access to resources such as files, folders, printers and so on
System logs
Record system events such as when a system starts or stops, when services start or stop, or when service attributes are modified
Application logs
Record information for specific applications
Firewall logs
Record events related to any traffic that reaches a firewall
Includes traffic that the firewall allows and traffic that the firewall blocks
Commonly log packet information such as source and destination IP addresses and source and destination ports but not the packets’ actual contents
Proxy logs
Record details such as what sites specific users visit and how much time they spend on these sites
Record when users attempt to visit known prohibited sites
Change logs
Record change requests, approval and actual changes to a system as a part of an overall change management process
FIPS 200
Minimum Security Requirement for Federal Information and Information Systems
NTP
Network Time Protocol = used to ensure that logs have accurate timestamps
SIEM tools
(security information and event management) tools
Provide centralized logging and real-time analysis of events occurring on systems throughout an organization
Syslog protocol
used to send event notification messages
Defined in RFC 5424
A centralized syslog server receives syslog messages from devices on a network
The protocol defines how to format the messages and how to send them to the syslog server but not how to handle them
Historically been used in Unix and Linux systems
syslog daemon
handles all incoming syslog messages, similar to how a SIEM server provides centralized logging
clipping
a form of nonstatistical sampling; selects only events that exceed a clipping level, which is a predefined threshold for the event
traffic / trend analysis
network flow monitoring = forms of monitoring that examine the flow of packets rather than actual packet contents
rollover / circular logging
log cycling = allows administrators to set a maximum log size; when the log reaches that size, the system begins overwriting the oldest events in the log
DLP techniques
data loss prevention techniques = used to detect or prevent data exfiltration
Digital watermark
a secretly embedded marker in a digital file, doesn’t work if file is encrypted
SOAR
Security orchestration, automation and response = a group of technologies that allow organizations to respond to some incidents automatically
Playbook and Runbook
Playbook = a document or checklist that defines how to verify an incident and to respond
Runbook = implements the playbook data into an automated tool
Cyber Kill Chain
created by Lockheed Martin)
Reconnaissance: Attackers gather information on the target
Weaponization: Attackers identify an exploit that the target is vulnerable to, along with methods to send the exploit
Delivery: Attackers send the weapon to the target via phishing attacks, malicious email attachments, compromised websites, or other common social engineering methods
Exploitation: The weapon exploits a vulnerability on the target system
Installation: Code that exploits the vulnerability then installs malware, the malware typically includes a backdoor, allowing the target to access the system remotely
Command Control: Attackers maintain a command and control system, which controls the target and other compromised systems
Actions on objectives: Attackers execute their original goals such as theft of money, theft of data, data destruction or installing additional malicious code such as ransomware
TTPs
tactics, techniques and procedures
Threat feed and threat intelligence feed
Threat feed = a steady stream of raw data related to current and potential threats
Threat intelligence feed = attempts to extract actionable intelligence from the raw data = examples of information:
Suspicious domains
Known malware hashes
Code shared on internet sites
IP addresses linked to malicious activity
threat hunting
process of actively searching for cyber threats in a network