Domain 7 Flashcards
Intelligence in Threat Modeling
User and Entity Behavior Analytics
Entity behavior is collected and input into a threat model
- Model establishes a baseline of normal behavior
- Enables analysis to uncover more details around anomalous events
- automated investigation also exists in some pklatforms
Intelligence in Threat Modeling
Threat Intelligence
Threat feeds
Org learns about changes in threat landscape
Often a feed containing malicious entities ingested by cybersecurity tools
- A single feed may be composed of many sources including open source
- Entity = IP website, threat actor, file hash, more
Service Level Agreement
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations
- generally used with vendors
Secure provisioning
Ensure eresources are deployed in a secure maner and maintained securely through their lifecycles
Ex) deploy a PC from a secure image
Virtual Assets
- VMs
- Virtual Desktop Infrastructure (VDI) compute
- Software Defined Networks (SDN) network
- Virtual Storage Area Networks (SAN) storage
Hypervisors are the primary component that manages virtual assets, but also provide hackers with additional target
- Both hypervisors and VM need to be patched
Configuration & Change Management
Configuration Management
Ensures that systems are configured similarly, config is known and documented
Baselining ensures systems are deployed with common starting point (ex imaging)
Managing Incident Response (7 Steps)
- Detection - Monitoring tools, IPS, firewalls
- Response - Triage, decision to declare (is it really an incident?) Limiting damage
- Mitigation - First containment effort contain an incident
- Reporting - to relevant stakeholders mngmt decsions
- Recovery - Return to normal mngmt decisions
- Remediation - Root cause addressed Include root cause analysis
- Lessons Learned - helps prevent recurrence
DRMRRRL
Espionage
External
When a competitor tries to steal info, and they may use an internal employee
Sabotage
Internal
Malicious insiders can perform sabotage against an org if they become disgruntled
Zero-Day Exploit
Brand new vulns
An attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people
- Basic security practices can often still prevent
Sampling
Extracting elements from a large body of data to make a meaningful summary
Statistical Sampling
Using precise mathematical functions to extract meaningful info from a large amount of data
Clipping
A form of non-statistical sampling that record only events that exceed a threshold
Security Audits and Reviews
Helps ensure management programs are effective and being followed
- prevents violations
- can also oversee programs and processes
Includes:
- Patch management
- Vuln managment
- Change management
- Config Management
Auditing
(You know what this is but some important notes)
Serves as a primary type of detective control
- Frequency is based on Risk
- Key element for displaying Due Care
- Only people with sufficient privilege should have access
Access Review
Ensures object access and account mngmt practices support the security policy
User Entitlement Audit
Ensures principle of least privilege is followed
Categories of Computer Crimes (6 types)
- Military and Intelligence
- Business
- Financial
- Terrorist
- Grudge
- Thrill
Electronic Discovery (eDiscovery)
Organizations expecting lawsuit have a duty to preserve digital evidence
Process includes:
- Info ID and Governance
- Preservation and collection
- Processing, review, analysis
- Production / Presentation
- Often uses tagging classification, target specific custodian
Gathering Info in Investigations
Possesion
You must have posession of equiptment, software, or data to analyze it and use it as evidence
Gathering Info in Investigations
Modification
You must acquire the evidence without modifying it.
- Law enforcement establishes a chain of evidence to document all who handled it
Alternatives to Confiscating Evidence (3 types)
- Vulntary surrender
- Subpoena - Used to compel the subject to surrender evidence
- Search Warrant - Most useful when need to confiscate evidence without giving the subject the chance to alter it