Deck2 Flashcards
The process through which data generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated to provide insights into the security status of those systems
Security Intelligence
Structured Threat Information eXpression (STIX)
A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework STIX is expressed in JavaScript Object Notation (JSON) format that consists of
attribute: value pairs
Trusted Automated eXchange of Indicator Information (TAXII)
A protocol for supplying codified information to automate incident detection and
analysis
OpenIOC
A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis
Malware Information Sharing Project (MISP)
MISP provides a server platform for cyber threat intelligence sharing, a
proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII
whois
A public listing of all registered domains and their registered administrators
Switched Port Analyzer (SPAN)
Allows for the copying of ingress and/or egress communications from one or more switch ports to another
Domain Generation Algorithm (DGA)
A method used by malware to evade blacklists by generating domain names for
C&C networks dynamically
The principle method used with HTTP and is used to retrieve a resource
GET
Used to send data to the server for processing by the requested resource
POST
Creates or replaces the requested resource
PUT
Used to remove the requested resource
DELET
Retrieves the headers for a resource only and ignores the body
HEAD
200
Indicates a successful GET or POST request (OK)
3xx
Any code in this range indicates that a redirect has occurred by the server
4xx
Any code in this range indicates an error in the client request
403
Indicates that a request did not have sufficient permissions
404
Indicates that a request did not have sufficient permissions
5xx
Any code in this range indicates a server-side issue
Percent Encoding
A mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding
Firewall logs can provide you with four types of useful security data
Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred
Reverse Proxy
A type of proxy server that protects servers from direct contact
with client requests
Sysinternals
A suite of tools designed to assist with troubleshooting issues with Windows, and
many of the tools are suited to investigating security issues
Manages low-level Windows functions and it is normal to see several of these
running
(as long as they are launched from %SystemRoot%\System32 and have no parent)
Client Server Runtime SubSystem (csrss.exe)
Manages drivers and services and should only have a single instance running as a
process
WININIT (wininit.exe)
Hosts nonboot drivers and background services, this process should only have one
instance of services.exe running as a child of wininit.exe, with other service
processes showing a child of services.exe or svchost.exe
Services.exe
Handles authentication and authorization services for the system, and should
have a single instance running as a child of wininit.exe
Local Security Authority SubSystem (lsass.exe)
Manages access to the user desktop and should have only one instance for each
user session with the Desktop Window Manager (dwm.exe) as a child process in
modern versions of Windows
WINLOGON (winlogon.exe)
Sets up the shell (typically explorer.exe) and then quits, so you should only see
this process briefly after log-on
USERINIT (userinit.exe)
This is the typical user shell, launched with the user’s account privileges rather
than SYSTEM’s, and is likely to be the parent for all processes started by the
logged-on user
Explorer (explorer.exe)
DNS record identifying hosts authorized to send mail for the domain with only
one being allowed per domain
Sender Policy Framework (SPF)
Provides a cryptographic authentication mechanism for mail utilizing a public key
published as a DNS record
DomainKeys Identified Mail (DKIM)
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
A framework for ensuring proper application of SPF and DKIM utilizing a policy
published as a DNS record
DMARC can use either SPF or DKIM or both
SMTP Log Analysis
SMTP logs are typically formatted in request/response fashion
o Time of request/response
o Address of recipient
o Size of message
o Status code
Secure/Multipurpose Internet Mail Extensions (S/MIME)
An email encryption standard that adds digital signatures and public key
cryptography to traditional MIME communications
File Transfer Protocol
21 (FTP)
Secure Shell/FTP over SSH
22 (SSH/SFTP)
Telnet – an unsecure remote administration interface
23 (TELNET)
Simple Mail Transfer Protocol
25 (SMTP)
Domain Name System uses TCP for zone transfers
53 (DNS)
Post Office Protocol is a legacy mailbox access protocol
110 (POP3)
NetBIOS Session Service supports Windows File Sharing with pre-Windows 2000
version hosts
139 (NETBIOS-SSN)
Internet Mail Access Protocol
143 (IMAP)
Server Message Block
445
Post Office Protocol Secure
995 (POP3S)
MySQL database connection
3306 (MySQL)
Remote Desktop Protocol
3389 (RDP)
Domain Name System uses UDP for DNS queries
53 (DNS)
Trivial File Transfer Protocol
69 (TFTP)
Dynamic Host Configuration Protocol (DHCP)
67/68
Network Time Protocol
123
NetBIOS
137/138/139
Server port for a syslog daemon
514 (SYSLOG)
A software development model that focuses on iterative and incremental
development to account for evolving requirements and expectations
Agile Method
A software development model where the phases of the SDLC cascade so that
each phase will start only when all tasks identified in the previous phase are
complete
Waterfall Method
