Course 6 - Week 3

Question 1

Give me an example of one detection tool that organizations use other than the automatic tools that are utilized - SIEM and IDS.

Answer 1

Threat hunting - It is a detection method in which humans manually look for threats (that are not detected by the automatic detection tools) in the organization.

They make use of different technologies and sources to look for threats. For example - They do research on emerging threats and get information from OSINT (Open Source Intelligence platforms).
Threat hunters also use IOC (Indicators of Compromise), IOA and Machine learning to find threats or more information regarding them.

Cyber Deception (Like honeypots) can also be deployed for threat detection.

Question 1

Define the Detection and Analysis part of the Incident Response lifecycle.

Answer 1

Detection - it is the prompt discovery of security events.
Analysis - It is the investigation and validation of alerts.

Question 2

What is Pyramid of Pain?

Answer 2

It is a graph that gives the relation between different IOCs and the level of difficulty that an attacker has to face to penetrate a network or device if this IOC is blocked by the security organization.

Look for the photo of the Pyramid of Pane on the internet.

As the IOC number increases, it’s difficulty is also increasing.

1. File hashes
2. IP addresses
3. Domain name
4. Network/host artifacts
5. Attack tools
6. TTP - Techniques, Tactics and Procedures

Question 3

How does a security analyst investigate events in which they have found some IOC?

Answer 3

To add more context to the investigation or to get more information related to IOC, security analyst make use of threat Intelligence. For example, if we have a malicious file, we can make a hash of it and then get more context regarding this file from virustotal.com site =.

Question 4

What is crowdsourcing?

Answer 4

Crowdsourcing is the practice of gathering information using public input and collaboration. Threat intelligence platforms use Crowdsourcing.

Question 5

What is the use of documentation?

Answer 5

Having documentation provides the following benefits -

1. Clarity - for example - playbooks provide clarity
2. Standardization -
3. Transparency - It is used in chain of custody.

Question 6

What is Broken chain of custody?

Answer 6

It is the scenario when we have missing documentation about who handled the evidence or when they handled it.

Inconsistencies in the collection and logging of evidence in the chain of custody.

Question 7

What are some best practices for creating documentation?

Answer 7

1. Know your audience
2. Be concise
3. Update regularly

Question 8

What is triaging and what are the steps involved in it that are performed by the security analyst?

Answer 8

While responding to alerts, the security analyst performs the process of triaging.

Triaging is the prioritizing of incidents according to their level of importance or urgency.

It involves 3 steps -

1. Receive and asses -
2. Assign a priority
3. collect and analyze -

Question 9

What are the 3 steps involved in triaging process?

Answer 9

1. Receive and asses - In this step, the security analyst will validate the alert and will get a complete understanding of the alert.
   Some questions to ask in this step -
   - Is this a false positive
   - Has this alert been triggered before?
   - Has this alert been triggered by a known vulnerability?
   - Wat is the severity of this alert?
2. Assign a priority - While assigning priority, we consider following things.
   - functional impact
   - Information impact
   - recoverability
3. collect and analyze -

Question 10

What are benefits of triaging?

Answer 10

1. Resource management
2. Standardized approach

Question 11

Define containment eradication and recovery.

Answer 11

Containment - It is an act of limiting and preventing additional damage caused by an incident.
Eradication - It is the process of removing all the elements related to an incident. Ex - Task of doing vulnerability assessment tests and applying patches to vulnerabilities.
Recovery - It is the process of returning affected systems back to their normal operation. It involves activities like updating firewall rules, re-imaging the system, resetting password etc.

Question 12

What is Business continuity plan?

Answer 12

It is a document that outlines the procedures to sustain business operations during and after a significant disruption.
It is not the same as a Disaster recovery plan.

Business continuity strategies include hot sites, warm sites, and cold sites.

Question 13

What steps are involved in post-incident actions?

Answer 13

It involves the creation of a Final Report document.
It also involves conducting a Lesson Learned meeting.

Post-incident activity is the process of reviewing an incident response to identify areas of improvement during incident handling.

Question 14

What is the Final Report on Post-Incident Activity and what elements does it include?

Answer 14

Final Report is a documentation that provides a comprehensive review of the incident.
It includes following things -

1. Executive summary
2. Timeline
3. Investigation
4. Recommendation -

Question 15

What is log analysis?

Answer 15

It is the process of examining logs to identify the events of interest.

Question 16

What ate the different sources of logs?

Answer 16

Network logs - the logs are generated by network devices like routers, switches, etc

Endpoint logs -

Application logs -

Authentication logs - the logs that are generated whenever authentication occurs.

Security logs - Examples of security logs are the logs generated by Antivirus, IPS/IDS, etc

Question 17

What is log management?

Answer 17

Log management is the process of managing log collection, storage, Analysis, and disposal.

When logs are generated, they are sent to a dedicated server using log forwarders.

Question 18

What are the different variations of logs?

Answer 18

Different sources create log in different formats -

Every log contain the following things - timestamp, system characteristics, Actions

Following are the different log formats -

1. JSON
2. XML
3. Syslog
4. CEF - Common Event format
5. CSV - comma-separated value

Question 19

Define the structure of JSON logs.

Answer 19

JSON - JavaScript Object Notation

JSON log format has following elements -
Objects, its properties in key-value pair

For example -

‘user’
{
‘id ‘ : ‘1234’
‘name’ : ‘user’
‘role’ : ‘engineer’
}

Question 20

Define XML log format.

Answer 20

XML - Extensible Markup Language is a format used to store and transmit data over the wire.
Its syntax has the following things - tags, elements, and attributes.
Attributes are used to describe the data encoded in tags.

<Event>
<Datana_name = 'SubjectUserID'>
2-2-3-11-160321
</Data>

<version> 5 </version>
</Event>

Question 21

Define Syslog and its log format.

Answer 21

Syslog can act as a protocol and it can also act as a service to collect log data from sources and it has its own log format.

It is a standard for logging and transmitting data.
Note - Syslog uses port 514 for plaintext logs and 6514 for encrypted logs.

It is native log format in unix systems. It has 3 components - a header, structured data, and a message.

Example -

<366>1 2022-03-21T01:11:11.0032 virtual.machine.com eventlog - ID01 [user@32473 iut = ‘1’ eventSource = ‘Application’ eventID = “999”]
This is a log entry!

Question 22

Define CVS log format.

Answer 22

CVS uses commas to separate data values. In CVS log files, the position of data corresponds to its field name, but the field name themselves might not be included in the log. It is critical to understand what fields the source device (like an IPS, firewall, scanner) includes in the log.

Question 23

What is Common Event format?

Answer 23

It is a log format that uses key-value pairs to structure data and identify fields and their corresponding values.
CEF has the following syntax -

CEF: version|Device Vendor|Device Product|Device Version|Signature ID |Name|Severity|extension

Fields are separated with a pipe character. However, anything in the extension part of the CEF log entry must be written in a key-value format. Syslog is a common method to transport logs like CEF. When Syslog is used, a timestamp and hostname will be prepended to the CEF message.

Question 24

Define the term telemetry.

Answer 24

It is the collection and transmission of data for analysis. For example - Packet Captures are considered as network telemetry.

Question 25

What are the different techniques that an IDS or IPS uses to detect any kind of threat or malicious activity?

Answer 25

IDS/IPS uses signature analysis techniques and they look for any anomalies in the network.

IDS can be NIDS or HIDS

Question 26

What are some advantages and disadvantages of anomaly-based IDS?

Answer 26

Advantage - it can detect new and emerging threats.
Disadvantages -
- High rate of false positives
- Pre-existing compromise - The existence of an attacker during the training phase will include malicious behavior in the baseline. This can lead to missing a pre-existing attacker.

Question 27

What are the components of a detection signature of IDS/IPS?

Answer 27

1. Action - Action can be to pass, alert or reject
2. Header - It defines signatures network traffic. It will have information like Source IP, Destination IP etc.
3. Rule options - With rule options, we can customize our signatures with additional parameters. Typically, rule options are separated by semi-colons and enclosed in parentheses.

Ex -

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Get on wire”; flow:established; content:”get”; sid:1234; rev:1; )

This rule will look for the GET request in payload.

Question 28

What is Suricata and what is its log format and what kinds of log it creates?

Answer 28

Suricata is an open-source IDS. Its log format is called EVE JSON - Extensible Event Format JSON. Log files created by Suricata - eve.JSON, fast.log

Two types of logs that Suricata crates are following -
1. Alert logs - Alert logs contain information related to security investigations.
2. There are also Network Telemetry logs that contain information about the network traffic flows.

Question 29

What is a configuration file?

Answer 29

It is a file used to configure the settings of an application. Suricata configuration file is suricata.yaml

Question 30

Give me an example of running suricata on a packet capture file.

Answer 30

sudo suricata -r sample.pcap -S custom.rules -k none

Question 31

What is the name of the query language used in splunk?

Answer 31

It is called SPL - Search Processing Language. SPL is used to search and retrieve events from indexes using Splunk’s search and reporting app.
Example of a basic SPL search that is querying an index for a failed event.

index = main fail

An index stores events that have been collected and processed by Splunk.