Domain 7 Flashcards
Intelligence in Threat Modeling
User and Entity Behavior Analytics
Entity behavior is collected and input into a threat model
- Model establishes a baseline of normal behavior
- Enables analysis to uncover more details around anomalous events
- automated investigation also exists in some pklatforms
Intelligence in Threat Modeling
Threat Intelligence
Threat feeds
Org learns about changes in threat landscape
Often a feed containing malicious entities ingested by cybersecurity tools
- A single feed may be composed of many sources including open source
- Entity = IP website, threat actor, file hash, more
Service Level Agreement
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations
- generally used with vendors
Secure provisioning
Ensure eresources are deployed in a secure maner and maintained securely through their lifecycles
Ex) deploy a PC from a secure image
Virtual Assets
- VMs
- Virtual Desktop Infrastructure (VDI) compute
- Software Defined Networks (SDN) network
- Virtual Storage Area Networks (SAN) storage
Hypervisors are the primary component that manages virtual assets, but also provide hackers with additional target
- Both hypervisors and VM need to be patched
Configuration & Change Management
Configuration Management
Ensures that systems are configured similarly, config is known and documented
Baselining ensures systems are deployed with common starting point (ex imaging)
Managing Incident Response (7 Steps)
- Detection - Monitoring tools, IPS, firewalls
- Response - Triage, decision to declare (is it really an incident?) Limiting damage
- Mitigation - First containment effort contain an incident
- Reporting - to relevant stakeholders mngmt decsions
- Recovery - Return to normal mngmt decisions
- Remediation - Root cause addressed Include root cause analysis
- Lessons Learned - helps prevent recurrence
DRMRRRL
Espionage
External
When a competitor tries to steal info, and they may use an internal employee
Sabotage
Internal
Malicious insiders can perform sabotage against an org if they become disgruntled
Zero-Day Exploit
Brand new vulns
An attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people
- Basic security practices can often still prevent
Sampling
Extracting elements from a large body of data to make a meaningful summary
Statistical Sampling
Using precise mathematical functions to extract meaningful info from a large amount of data
Clipping
A form of non-statistical sampling that record only events that exceed a threshold
Security Audits and Reviews
Helps ensure management programs are effective and being followed
- prevents violations
- can also oversee programs and processes
Includes:
- Patch management
- Vuln managment
- Change management
- Config Management
Auditing
(You know what this is but some important notes)
Serves as a primary type of detective control
- Frequency is based on Risk
- Key element for displaying Due Care
- Only people with sufficient privilege should have access
Access Review
Ensures object access and account mngmt practices support the security policy
User Entitlement Audit
Ensures principle of least privilege is followed
Categories of Computer Crimes (6 types)
- Military and Intelligence
- Business
- Financial
- Terrorist
- Grudge
- Thrill
Electronic Discovery (eDiscovery)
Organizations expecting lawsuit have a duty to preserve digital evidence
Process includes:
- Info ID and Governance
- Preservation and collection
- Processing, review, analysis
- Production / Presentation
- Often uses tagging classification, target specific custodian
Gathering Info in Investigations
Possesion
You must have posession of equiptment, software, or data to analyze it and use it as evidence
Gathering Info in Investigations
Modification
You must acquire the evidence without modifying it.
- Law enforcement establishes a chain of evidence to document all who handled it
Alternatives to Confiscating Evidence (3 types)
- Vulntary surrender
- Subpoena - Used to compel the subject to surrender evidence
- Search Warrant - Most useful when need to confiscate evidence without giving the subject the chance to alter it
Retaining Investigation Data
You will lose valuable evidence unless you ensure critical log files are retained for a reasonable period of time
- You can retain log file and system status info either in-place or in archives
- data retention should be defined in security policies
Evidence Types
Best
Original
NOTE:
Evidence must be relevant, complete, sufficient and reliable
Evidence Types
Secondary Evidence
Copy
Evidence Types
Direct
Proves or disproves an act based on the five senses
Evidence Types
Conclusive
Incontrovertible, overrides all other types
Evidence Types
Circumstantial
Inference from other info
Evidence Types
Corroborative
Supporting evidence but cannot stand on its own
Evidence Types
Opinions
Expert and non expert
Evidence Types
Hearsay
Not based on first hand knowledge
3 Types of evidence that may be used in a criminal or civil trial
- Real evidence - actual objects brought into the courtroom
- Documentary evidence - Written documents
- Testimonial Evidence - verbal / written statements made by witnesses
3 Requirements for evidence to be admissible in a court of law
- Must be relevant to a fact at issue in the case
- The fact must be material to the case
- Evidence must be competent or legally collected
- Evidence is competent if it complies with certain traditional notions or reliability
Recovery Site Types
COLD
Just a data center space, power, and network connectivity thats ready and waiting for when you need it
- If disaster happens, support teams can help move your hardware into the data center and get you back uop and running
- Cost = LOW
- Effort = HIGH
Recovery Site Types
WARM
Preventative site that allows you to pre-install your hardware and pre-configure your bandwidth needs
- If disaster strikes, all you have to do is load your software and data to restore business systems
- Cost = MID
- Effort = MID
Recovery Site Types
HOT
Proactive site allows you to keep servers and a live backup site up and running
- Allows for an immediate cutover in case of a disaster at primary site.
- Cost = HIGH
- Effort = LOW
Recovery Site Types
Service Bureau
A company that lease computer time
- Larger server farms or fields of workstation
- May be onsite or remote
Recovery Site Types
Mobile Site
Typically self-contained trailers or moveable units
Recovery Point Objective (RPO)
The age of files that must be recovered from backup storage for normal operations to resume if a system or network goes down
Recovery Time Objective (RTO)
The duration of time and a service level within which a business process must be restored.
Mutual Assistance Agreements (MAAs)
(Pros and Cons)
Pros:
- Provide inexpensive alternative to disaster recovery sites
Cons:
- Orgs involved may be shut down by the same disaster and MAAs raise confidentiality concerns
- MAAs are uncommon bc they are difficult to enforce
More BCP Definitions
Business Resumption Plan (BRP)
Plan to move from the disaster recovery site back to business environment
More BCP Definitions
Mean Time Between Failures (MTBF)
Time determination for how long a piece of IT infrastructure will continue to work before it fails
More BCP Definitions
Mean Time to Repair (MTTR)
How long it will take to get a piece of hardware / software repaired and back on line
More BCP Definitions
Max Tolerable Downtime (MTD)
Amount of time we can be without an asset BEFORE we must declare a disaster
Disaster Recovery Plan Test Types
Read-through Test
Distribute copies of disaster recovery plans to the members of the disaster recovery team for review
Disaster Recovery Plan Test Types
Structured Walk-through
AKA Table-top exercise
Members of recovery team meet and role-play disaster scenario
- Usually exact scenario is only known to the test monitor
Disaster Recovery Plan Test Types
Simulation Test
Similar to walk through but some of the response measures are actually tested
Disaster Recovery Plan Test Types
Parallel Test
Relocating personnel to. alternative recovery site and implementing site activation procedures
- Practice disaster recovery at alt site
Disaster Recovery Plan Test Types
Full Interruption Test
Actually shutting down operations at the primary site and shifting them to the alt site
DR Related Terms
Recovery Team
Gets the critical business functions running at alt site
DR Related Terms
Salvage Team
Used to return the primary site to normal conditions
Backup Strategies
Electronic Vaulting
Used to transfer DB backups to a remote site as part of bulk transfer
Backup Strategies
Remote Journaling
Transmitting only the journal / transaction logs to the off-site facility and not the actual files
Backup Strategies
Remote Mirroring
Live DB Server is maintained at the backup site
- Most advanced and most expensive